Conficker Overflow
Topic du jour is Conficker: http://blog.wired.com/27bstroke6/2009/03/conficker-how-a.html
In my opinion the first thing software makers should invest in to reduce the number of vulnerabilities, is more code reviews focused on security. Senior engineers are ‘gatekeepers’; they need to be held accountable (within their own company, not publicly) if their team releases flaws whih could have been prevented.
A second one is more testing. Hackers are able to find vulnerabilities, so software makers can too! Software makers have the (dis)advantage of knowing how the software is built, which gives them the ability to model vulnerabilities, and then test for them. It’s in great part a matter of having test engineers spend time on the problem.
But since this is all being done already, yet obviously not well enough, I think what we need to do is to re-inject a bit of good old TQM into the whole process.
It’s an economic problem more than anything. A bit like the fight against terrorism; it’s way more expensive to prevent it than it is to commit an act of terrorism.
