yourselfkerop.blogg.se

3 Juni 2022 - 01:30
What is solarwinds software
Allmänt
What is solarwinds software





  1. #What is solarwinds software Patch
  2. #What is solarwinds software software
  3. #What is solarwinds software code

#What is solarwinds software software

If nothing else, it would be nice if this Solarwinds fiasco causes other proprietary software companies to look at their processes and see if they're vulnerable to the same sorts of problems.

#What is solarwinds software code

So the malicious code itself may not need to be very clever at all and instead could be completely obvious and still escape detection.Īnd often the amount of testing that goes into proprietary code is simply "does it work?" rather than anything more complicated like "is this the best way to do it?", "does it perform well?" or "does this introduce any security holes?" The "clever enough" bar may very well be very low here.Īfter all, depending on the internal processes, the number of other people who review one's code may be as low as one, and they may be able to mark their own code as "already reviewed" (even if that's not the usual procedure) so it gets dropped to zero. It is also possible that somebody clever enough works for a company and slips their malicious code into proprietary software That said, if you start asking the question "how much would it cost to start embedding coders with good reputations into FOSS projects", I think the number you come up with is definitely well within reach of many state actors.

#What is solarwinds software Patch

Which cuts both ways against malicious code adds:ġ.) An attacker would likely have to submit several patches before trying to "slip one through"Ģ.) If their patch was considered bad, or malicious, there goes their reputation.ģ.) The attacker would need to be "addressing" a bug or adding a feature, and would then be competing with other implementations.Ĥ.) There are a bunch of others out there, looking to "gain reputation", and spotting introduced security flaws is one great way to do that. The better argument is "There are enough smart people who follow the implementation details of important projects to make getting rogue code accepted non-trivial" They are difficult problems, and they continue to be issues for FOSS today. The fact is that there have been high profile instances in the last several years where significant, exploitable flaws have persisted for years in FOSS- Shellshock persisted for 25 years, Heartbleed for 2-3 years, the recent SSH reverse path flaw for about 20 years, not to mention flaws like the IPSec backdoor that has been suspected to be an intentional insertion which lasted 10 years.įOSS relies on very good controls and very good review to be secure, and I feel like people handwave that away as "solved". Not many people have the skills to write code for some of the more sensitive areas of these projects, and those that do are rarely going to also have the skills to understand how obfuscated / malicious bugs can be inserted- let alone be vigilant enough to catch every one. There is practically no one in this thread, and very few people in the world, who would catch a clever malicious bug in the Linux Kernel, or OpenSSL, or Firefox. Open source is great- don't get me wrong.īut when people complain about "weak arguments" from proprietary vendors, and respond with nonsense like "the open source code can be reviewed by literally anyone in the world", I have to call shenanigans. They also noted that in theory a thief can dig under your home and break in but the likely hood is minimal and would be expensive to protect from and why risk management is also a big part of security and costs. They pointed on how each level increased security from a thief breaking in and stealing and increased the time it would take to break in, but at the end of the day if a thief can walk up to your door and convince you to let them in, all that is worthless, and why you should assume that you will get compromised from everywhere and plan from that perspective. House with fence, beware of dog sign, a dog, and security cameras.House with fence, beware of dog sign, and a dog.House with fence and beware of dog sign.The list of houses from least to most secure was: It came from an infosec class that compared protecting your network to protecting your house from a thief. I take the perspective that you will be compromised, so implement what lessens the impact of the compromise.







What is solarwinds software
0 kommentar(er)
Om Mig: