Learning from Disaster

David A. Wheeler

2017-09-25 (first 2015-02-13)

Many serious computer security vulnerabilities have been found over the years. I believe that those involved in developing or operating computer systems can - and should - learn from these past mistakes.

Here is a collection of essays, mostly by me, that focus on lessons to be learned from various vulnerabilities or computer security problems (aka “disasters”):

1. How to Prevent the next Heartbleed (Heartbleed)
2. Shellshock
3. The Apple goto fail vulnerability: lessons learned (goto fail)
4. POODLE attack against SSLv3 (POODLE)
5. Sony Pictures, Lax Security, and Passwords (Sony)
6. What the GHOST tells us about free software vulnerability management by Hanno Böck (GHOST)
7. Who decides when you need to update vulnerable software? (Equifax)

Each disaster is fundamentally a story of things that went wrong. I think each tale is really interesting, especially since they each give us an opportunity to learn and do better.

Feel free to see my home page at https://www.dwheeler.com. You may also want to look at my paper Why OSS/FS? Look at the Numbers! and my book on how to develop secure programs.

(C) Copyright 2014-2017 David A. Wheeler.