Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
A role model for security. Almost.
Jason Miller, 2005-06-08

Mark Burnett beat me to it. I was planning to write an article on the relationship between good security and paranoia in the not too distant future. However, it appears that at least one other SecurityFocus columnist shares some of my theories on good security. Either that, or he's somehow capable of reading my mind. Paranoia is generally a good thing to have. Regardless, Mark's article got me wondering about what other traits are valuable in the quest for good security.

The pursuit of absolute security is a lot like perfectionism. Both are unattainable and the task of pursuing them is itself a never-ending process, a determined quest for a goal that can never be realized. The fact that perfection cannot be achieved does not prevent a perfectionist from attempting to find it, however. Likewise, the fact that absolute security is an impossibility won't stop a good security professional from trying to achieve it. Simply put, there is never a point where a good security professional says that a network is so secure that it doesn't require improvement.

Qmail's pursuit of perfection

If we think about applications with a relatively "perfect" (I use the term very loosely) security track record, not many come to mind. However, I'd be willing to bet that software written by Dan Bernstein, specifically qmail (and djbdns), might be first among those mentioned. Why is qmail considered secure? There are two main reasons.

Bernstein designed qmail with security in mind. If everyone who wrote software actually made security a design priority, we'd be in a lot less trouble with vulnerabilities than we are now. But it appears this is too much to ask, because there's so much software out there that doesn't seem to put much more than a casual afterthought into security.

Secondly, Bernstein strives to write bug-free code. Although this is an unachievable goal, it didn't stop Bernstein from trying. His code has now stood the test of time, and has done so with a very small security vulnerability footprint.

The combination of these two factors has made qmail a very successful application for secure environments.

Qmail isn't perfect

Georgi Guninski recently published a vulnerability in qmail (albeit not a practical one), which can be exploited on specific configurations of some 64-bit systems. That's right. Even qmail has bugs. This shouldn't be a surprise to anybody.
Story continued on Page 2 



Jason Miller manages the Focus IDS area for SecurityFocus.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
A Role Model for Security. Almost. 2005-06-09
Anonymous (1 replies)
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy
A Role Model for Security. Almost. 2005-06-11
xeon (1 replies)
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy (1 replies)
A Role Model for Security. Almost. 2005-06-11
Anonymous (1 replies)
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy
A Role Model for Security. Almost. 2005-06-15
Russell Nelson (1 replies)
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy


 

Privacy Statement
Copyright 2010, SecurityFocus