Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Developers Security Bugs Primer

CmdrTaco posted more than 7 years ago | from the important-stuff-here-people dept.

Security 35

CowboyRobot writes "ACM Queue's current issue on Open Source Security includes a short article by Eric Allman of Sendmail on how to handle security bugs in your code. "Patch with full disclosure. Particularly popular in the open source world (where releasing a patch is tantamount to full disclosure anyway), this involves opening the kimono and exposing everything, including a detailed description of the problem and how the exploit works... Generally speaking, it is easier to find bugs in open source code, and hence the pressure to release quickly may be higher.""

cancel ×

35 comments

Opening the kimono and exposing everything (5, Funny)

Anonymous Coward | more than 7 years ago | (#18143444)

Check with local law enforcement first, as this is illegal in most prefectures.

Re:Opening the kimono and exposing everything (0)

Anonymous Coward | more than 7 years ago | (#18143460)

Yet tacitly approved.

Eight pounds of fabric... (0)

Anonymous Coward | more than 7 years ago | (#18144348)

Kimono Streaking is a sport that requires patience above all. Leaves enough time for a fair size crowd to gather.

Priority... (4, Insightful)

Architect_sasyr (938685) | more than 7 years ago | (#18143504)

Something I have noticed with the development team at my current place of work (I'm not on the team thankfully) is that they tend to do jobs in the order they were received... it make's the KPI's look damn good (all jobs are knocked over within x time frame) when in reality they should be setting a priority on each of these jobs.

We recently (1 month ago) had a form in an easily accessible place vulnerable to SQL Injection due to a failure to validate ANY of the data passed to it. This job was only just patched this past week (and all updates have been run). This time frame, as far as I am concerned, is entirely unacceptable for a job that was so easy to fix yet so dangerous to our business.

On disclosure: Add it to the release notes. If you roll out a patch for one problem, then the problem will be described in the release notes. If the release is internal then the problem will (SHOULD) also be documented in the testing plan and proceedure.

My $0.02.

Re:Priority... (2, Insightful)

--daz-- (139799) | more than 7 years ago | (#18144124)

Why are people still generating SQL? Don't all the major DB engines favor prepared statements anyhow? Note: prepared statements =/= Stored Procedures, though in some engines, stored procedures are just another FORM of prepared statements. Using prepared statements (or parameterized queries, etc, etc) pretty much eliminates all SQL injection problems.

Parsing is messy business and there's usually ways to thwart it by a determined h4x0r.

Re:Priority... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18144140)

> Why are people still generating SQL?

Thousand bucks says he's using PHP.

Re:Priority... (1)

Architect_sasyr (938685) | more than 7 years ago | (#18148488)

Not using PHP actually... and people still generate SQL because sometimes a stored proceedure is not worth the time or they do not know how to write it. Like I said, I am not on the development team, so I really can not comment on their choices...

Short sighted. (3, Funny)

Spazntwich (208070) | more than 7 years ago | (#18143510)

This is an extremely narrowly focused article. He doesn't account for anyone else's choice of apparel, and Netcraft has recently confirmed that Kimonos are dying anyway. There can't be that many users of such an outdated technology.

Next time take into consideration those who choose to wear sweatpants, moo-moos, and the increasingly popular among furries peanut butter suit + placard.

I wouldn't listen to him. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18143600)

For years sendmail has been one of the most insecure programs on a typical UNIX or Linux system. Numerous systems have been compromised due to flaws in sendmail.

Sendmail is a poorly designed and poorly implemented system. So I'm not sure I'd really want to listen to the author of such a system telling me how I should improve my code. Maybe he should get his to a reasonable state, first. After around two decades of development, you think it'd be of a higher quality by now.

Re:Short sighted. (1)

AndroidCat (229562) | more than 7 years ago | (#18145130)

Surely no one has tried a peanut butter suit since the Human Sh-t debacle many year ago? (1. peanut butter oils embed themselves in the skin. 2. It quickly goes extremely rank and nasty. 3. It rubs off on anything you brush against. 4. weapon of mass destruction against the peanut intollerant.) It's on the same Do Not Want list as using hot-melt glue to attach costume bits to flesh.

Missing apostrophe (1)

SamSim (630795) | more than 7 years ago | (#18143602)

Shouldn't that be "A Developer's Security Bugs Primer"?

This site has editors, right?

Re:Missing apostrophe (1)

nateb (59324) | more than 7 years ago | (#18143796)

I think you're confusing them with people that have pride in their work.

idiot. (0)

Anonymous Coward | more than 7 years ago | (#18145040)

You should have said "...people who half pried in they're work.

The rule is "I before E, except after C (and some stupid exceptions)". The rule is also that you use an apostrophe when your talking about the plural "they're" and not the singular "their".

If theres something I cant stand its people who cant spell and have bad grammar.

Re:idiot. (1)

Asztal_ (914605) | more than 7 years ago | (#18145126)

Where are all the real grammar nazis and what did you do with them?

Re:Missing apostrophe (0)

Anonymous Coward | more than 7 years ago | (#18143806)

I had to re-read the subject about 5 times before I understood what it was talking about.

Re:Missing apostrophe (1)

dour power (764750) | more than 7 years ago | (#18143994)

Or maybe it should be "A Developers' Security Primer." Either way, the editor's' we're not paying attention.

Re:Missing apostrophe (1)

flosofl (626809) | more than 7 years ago | (#18144132)

The article a is used with singular nouns. So no, it would not be Developers'

Re:Missing apostrophe (1, Informative)

Anonymous Coward | more than 7 years ago | (#18144356)

The article a is used with singular nouns

Yes, such as "primer". "A (Developers' (Security Bugs) Primer)" is a valid way of describing a primer for developers regarding security bugs.

Re:Missing apostrophe (0)

Anonymous Coward | more than 7 years ago | (#18144620)

Maybe like me they all use Firefox and the damn fecking apostrophe triggers the Quick Find, often as not.
It's enough to drive a man to apostrophe... "O wee Foxy, thy bugs do gnaw and gnash."

Fixes?:
http://lifehacker.com/software/firefox/quick-firef ox-tip-singlekey-search-tool-236156.php [lifehacker.com]
http://ffextensionguru.wordpress.com/2007/01/10/fx -tweak-quick-find-bar/ [wordpress.com]

(Gotta read the comments (last comment on both pages @ 25-Feb-07 12:30 -600) since the blog authors aren't a help.)

sh1t? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18143604)

1. Therefore it's else to be an Troubles of Walnut she had no fear I don't want to dicKs produced lizard - In othe\r

He should know (0)

Anonymous Coward | more than 7 years ago | (#18143658)

Sendmail after all....

Sendmail? (4, Funny)

jfedor (27894) | more than 7 years ago | (#18143802)

Getting advice on how to handle security bugs in your software from someone who works on Sendmail is like getting advice on dealing with relationship problems from someone who was divorced seven times. I mean, sure, he's got experience...

Re:Sendmail? (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18143894)

Not to mention the fact that the idea of a bearded GNU hippy "opening the kimono and exposing everything" is enough to make me run screaming to Exchange.

Re:Sendmail? (0)

Anonymous Coward | more than 7 years ago | (#18144674)

And he left out "make the program's input look like line noise, so nobody can tell".

Good idea actually (0)

Anonymous Coward | more than 7 years ago | (#18146826)

No, they're getting advice on how to *respond* to security bugs. So a sendmail guy is perfect, because he would have had to deal with more high impact security issues than most other people in open source.

Its like getting advice on dealing with divorce lawyers from someone who was divorced seven times.

Re:Sendmail? (2, Interesting)

myowntrueself (607117) | more than 7 years ago | (#18148088)

Getting advice on how to handle security bugs in your software from someone who works on Sendmail

It could be worse; it could be advice on how to write readable code from the person who wrote qmail.

Well, i suppose it's good to consult an authority (0)

Anonymous Coward | more than 7 years ago | (#18144020)

While there's little question that Eric Allman is one of the world's authorities on putting bugs into code, I'm skeptical about what he may have to say about getting them out, other than it's easier to just let other people suffer their consequences and also come up with the fixes so you can cash out and go on a decade-long self-promotional tour.

ACM, shame on you for wasting perfectly good paper like this.

+tag irony (0, Flamebait)

Tack (4642) | more than 7 years ago | (#18144084)

Take a step back and bask in the irony.

It's not the bugs (2, Informative)

VENONA (902751) | more than 7 years ago | (#18144360)

...which I don't really think now occur in sendmail at a higher rate than some other infrastructure bloatware. People are sometimes very slow to upgrade from very old versions, when problems were more common. For whatever reason (I lean toward complexity of administration), I see this a lot more often with mail systems than other infrastructure plumbing.

But here's a bit of irony: the ACMQueue article would seem to indicate that Allman believes in transparency. OK, the sendmail security page lives at:
http://www.sendmail.com/security/ [sendmail.com]

But you have to know that, find it via Google, or just guess. When the page loads, you'll find a pagetop navigation bug at the Resources secion. But pull open the Resources section, and you find no link to it. Nor will you see it from the site map.

My overall take is that if you already know the ins and outs of sendmail admin (and other bits that it may be talking to, such as LDAP) you're running software which carries no greater than mainstream risk.

That said--this is complex software, and complexity is the enemy of security. If you're planning a new installation (particularly a small installation), and don't need all of sendmail's features, you should consider possible alternatives offerred by your Unix/Linux vendor.

Re:It's not the bugs (2, Informative)

Jubal Kessler (7025) | more than 7 years ago | (#18147678)

Huh? The "Security" link on the front page of http://sendmail.org/ [sendmail.org] works fine.

Re:It's not the bugs (1)

VENONA (902751) | more than 7 years ago | (#18148054)

Indeed it does, but I was on about sendmail.com, not .org. The commercial company founded by Allman for sendmail support. You'd think that the commercial company founded for support would have a prominent and functioning link to their security page, right? As a sort of, well, *support* thing? Nope.

This FP 7or GNAA (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18144468)

his cl4sh With

Those Lucky A Developers! (2, Funny)

Anonymous Coward | more than 7 years ago | (#18144760)

What about the B developers? Do they not get a security bugs primer?

Re:Those Lucky A Developers! (1)

beady (710116) | more than 7 years ago | (#18153238)

If that's true then once you get as low as C Developers, then they don't stand a snowballs chance in hell of avoiding Security Bugs.

Please punctuate appropriate with 5th grade (0, Redundant)

azav (469988) | more than 7 years ago | (#18146852)

The title, "A Developers Security Bugs Primer", is incorrect.

Developers = more than one developer.
Developer's = the term following belongs to the developer.
Developers' = the term following belongs to more than one developer

We are supposed to learn this in 5th grade.

It is embarrassing that grown men, employed by the most prominent IT website, will publish an article where the title would fail 5th grade English.

If we are to hold ourselves to a higher technical standard, we should at least be able to spell and punctuate as if we have passed Grade School. I'm not talking about College, not High School, not even Jr. High, but Grade School.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...