by Iván Arce, Core Security Technolgoies
In 2001, the CERT Coordination Center received reports of 2,437 software security flaws in widely used software. This marked a significant increase over previous years and mirrored the findings of several other security-tracking agencies (see, for example, reports at http://www.nipc.gov/cybernotes/2001/cyberissue2001
The effect of this burgeoning bug-finding fever has permeated the world in very interesting ways, ranging from the development of software programs that exploit vulnerabilities to increased mainstream press coverage to heated debates in the information security community over how to disclose findings. Of course, the increase in bugs also gave the technology industry itself a stream of bad publicity—and fodder for aggressive marketing campaigns.
Despite all this, little has been said about the actual bug finding process itself. As the “Myth vs. Reality” sidebar describes, the practice is shrouded in misinformation. Although the general public is well acquainted with terms like “hacker,” “bug,” and “virus,” neither they nor many information security professionals themselves know how bug hunters find vulnerabilities or what systematic techniques they use. Here, I’ll offer an overview of that process.
For the article: SP-supplement.pdf
For the publication: http://www.computer.org/computer/sp/articles/arc/i
-------------------------------------------------------------------------
Security & Privacy - Building Confidence in a Networked World
Supplement to Computer Magazine - Published by the IEEE Computer Society
-------------------------------------------------------------------------------------------
Security & Privacy is a new supplement appearing with the April issue of Computer magazine. It brings together many of the leaders in the field of computer security technologies and experts on privacy issues. In this first installment, we focus on the new challenges and increased importance security plays as our society becomes increasingly dependent on technology.