Lessons Learned from CanSecWest
In a recent hacking contest at CanSecWest that pit Microsoft, Mac and Linux against each other in a head-to-head hackathon the last surviving system was fully patched Ubuntu system. The first system to fall was the Mac, which succumb to an exploit in Safari on the second day of the three day competition. Vista was hacked on the third day of the competition as a result of a Flash vulnerability.
While this is an interesting and exciting win the real message I take from this is twofold. First, if properly patched Microsoft, Mac, and Linux are all secure. While one could argue that Safari is integrated into the Mac OS it is not worthy that none of the systems were hacked as a result of an OS vulnerability and therefore the three OS’s can all stake claim to a level of security. Second, even the winner, Shane Macaulay, recognized the inherent vulnerability of all platforms when he said “Nobody can do anything about it, because you’re always going to be installing something [that will bypass security]. If it’s not Java it’ll be something else.”
Until all applications developers place a focus on security over functionality only way to secure a system is to eliminate functionality. While some open source advocates will point out that having source available for public code review will eliminate inherent security bugs I would counter by asking about the applications that have a limited number of developers with varying skill. If you do a search on SourceForge by the number of developers in any given project you would find a large proportion of projects with less than five developers registered. Although the source is available for many projects it doesn’t mean people are reviewing it for bugs.
This issue isn’t one of open source versus closed source software that offers features and functionality simply introduce risk. The lesson that should be pulled from this is that the best way to secure a system is to pare down the application install base to the minimum requirements and patch frequently.
Congratulations to Shane Macaulay for his victory.
No related posts.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment