Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Bugs! resources

   

Linus' law

Bugs!, software engineering & quality

Click to see my Amazon pageThoroughly recommended Testing Computer Software by Cem Kaner, Jack Falk and Hung Quoc Nguyen is one of our all-time favorite computer books.  As you might be able to tell from the cover shot, our 1993 Second Edition is well thumbed and slightly dog-eared but still has enormous practical value to this day.  Better than that, it’s an entertaining read on an otherwise rather dry and (dare we say it) boring subject.  This classic tome has been republished and reprinted by Wiley - grab yourself a copy while you still can (~$53 from Amazon) ... and protect the cover.  Alternatively, try Cem Kaner’s 2003 book Lessons Learned in Software Testing.

Worth a good look Build Security In is a website devoted to helping programmers develop secure code.  It is a DHS and SEI initiative, meaning both funding and a solid pedigree.

Worth a good look Building Security In - Maturity Model provides a framework to encourage and support the design, development and release of less insecure software, meaning fewer bugs and design flaws.

A podcast by Julia Allen of the Software Engineering Institute explores the increasing interest in producing software that is secure by design.

Microsoft is changing Office to improve users’ ability to control access to documents etc. (digital rights management).  Unfortunately, it appears that the Word functionality to password-protect document edits can be bypassed by editing the document file with a hex editor.  “(When) you use the Password to Modify feature, the feature is functioning as intended even when a user with malicious intent bypasses the feature,” the technical support document explained. “The behavior occurs because the feature was never designed to protect your document or file from a user with malicious intent.”   This is surely one of the most blatant “It’s not a bug, it’s a feature” cop-outs we’ve ever seen!!

Curious how to report Microsoft bugs?  Try this site.

Testing is of course just one means of dealing with Bugs! but don’t forget the distinction between Quality Assurance (meaning building and implementing structured and managed production processes so as to improve the quality of the product, also known as Right First Time or Continuous Improvement) and Quality Control (meaning testing and identifying defective products, removing them from the production line before they reach customers, also known as Break Fix mentality).  ‘Right first time’ makes just as much sense for software as for hardware.

Simson Garfinkel summarized some of the worst bug-related incidents stretching back several decades.  Bruce Tognazzini collects details on well-known bugs.  Read about 50 well-known bugs.

“I believe in bugs (I truly believe in bugs)” - a song by Ivor Cutler - is one of several bug-related tracks listed at artofthemix.org.

NIST Special Publication 800-64 explains Security Considerations in the Information System Development Life Cycle while SP 800-42 is a Guideline on Network Security Testing.

Security-relevant Bugs! & vulnerability management

Recommended resource Secunia.com is arguably the official reference site for security vulnerabilities.  Should you need persuading that bugs are a serious security issue, just take a peek at Secunia or the Open Source Vulnerabilities Database and count the number of vulnerabilities announced in a day (pick a day, any day).

Click to see my Amazon page

Recommended resource Hacking Exposed - Network Security Secrets & Solutions by Stuart McClure et al. is another useful book on the subject of Bugs! with a particular emphasis on bugs that cause security vulnerabilities.  Please visit our hacking links page for more information.  (~$33 from Amazon)

According to a research project reported in Network World, “Vendors are making mistakes when they write programs for Windows”. The project identified security vulnerabilities in mainstream Windows programs such as AOL Instant Messaging. 

NIST’s National Vulnerability Database reports an average of 8 new security vulnerabilities every day, with over 12,000 already listed. It’s not difficult to see that keeping track of new vulnerabilities, assessing whether they are relevant, testing and applying patches to all relevant systems is no trivial matter for the average corporation. Any organization that lacks adequate IT resources must surely struggle.

Special Publication 800-40 on Creating a patch and vulnerability management system is yet another outstanding document from NIST.  It recommends creation of a Patch and Vulnerability Management Group, use of automated update facilities and tools (with due care given the associated risks), standardized IT platforms and quality assurance techniques to improve the patching processes.

Patching

Users of Oracle systems should double-check that the patches they think they have applied have in fact been successfully applied.  Inconsistencies in the internal inventory of Oracle programs maintained by an Oracle installation, for example, may result in relevant patches being missed.  Given the number of patches released by Oracle, this is a serious concern.

A honeypot system running unpatched XP Home was compromised within ~15 minutes of web connection.  Get your patching processes up to scratch or face trying to explain to your stakeholders why you suffered avoidable information security incidents ...

Microsoft’s Security Program Manager Chris Budd explained Ten Principles of Microsoft Patch Management.  Chris clearly knows what he is talking about since Microsoft is evidently rather well practiced at the fine art of patching ...

Kaseya, Patchlink Update, Ecora and Marimba are just some of the patch management products that help corporations apply relevant security patches consistently throughout their IT estates [we have no experience of any of them, do not endorse them and have no opinion about their suitability for your requirements!]

Microsoft Update is Microsoft’s consolidated Windows and Office automated patching system.  Previously, users had to check and update Windows and Office separately.  The software also checks for driver updates (for some installed drivers, if not all).

Winpatch is a collection of scripts and utilities for patching Windows systems. Essentially, they check the registry to see whether patches have been applied and if not they apply them.

HFnetChk Pro from Shavlik is a commercial product for checking Windows security including the patch status .  A cut-down version of HFnetChk is available for free from Microsoft (Microsoft Baseline Security Analyser).

Origin of “Bugs!

Recommended reading The first documented use of the term “bug” is ascribed to an entry in a machine log for the Mark II Univac in 1947.  According to a story recounted by Rear Admiral Grace Hopper and noted in her lab notebook, a 2-inch moth was found to have crawled into the electromechanical computer system and expired under a relay that actuated, thus affecting the operation of the system.  Grace Hopper inspired a whole generation of IT folk and gave us this insightful comment: “Some day, on the corporate balance sheet, there will be an entry which reads, ‘Information’; for in most cases the information is more valuable than the hardware which processes it.

Poor quality telegraph operators were apparently known as bugs around the start of the 20th century.   The mechanical semi-automated telegraph senders sold by Vibroplex and others to make it easier to send accurate Morse code quickly are still known affectionately as bugs.  It is conceivable that this contributed to the use of bugs meaning errors.  Yet another possibility is suggested by the phrase “Don’t bug me”, in other words don’t bother or annoy me, implying that bugs are annoyances.

Covert surveillance (bugging)

The risks arising from bugs and other eavesdropping devices are described on this US Government Department of Energy page.

Worried about your cellphone being used to bug you?  Or worried you might be paranoid for even considering it?  Read about the practical limitations on covert bugging using cellphones and the telltale signs if your phone really is being used as a bug.

Mobile phones with digital cameras can be used to photograph secret diagrams, designs, papers machine tools.  This is an update on the old trick of leaving a standard mobile phone on the table in the negotiating room while the owner goes to the bathroom, having surreptitiously phoned a colleague or answer phone to record the conversation.  It is technically possible (though probably illegal) to jam or disable mobile phones using radio transmissions but procedural controls are generally cheaper and easier.  Do your visitors really need their phones while on site?

IEEE standard 802.3af for providing power over Ethernet cabling could mean that covert LAN bugging devices (as well as legitimate LAN devices!) need not rely on battery power or be located near a mains power source ...

If you think covert video surveillance only happens in James Bond movies, discover the pros and cons of various miniature cameras along with the techniques used to conceal them and detect them.

Related NoticeBored links collections

Secure software development, change management, integrity, incident management,
confidentiality, general information security

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk.  Please let us know about new or broken links.
NB homeLinks collection > Bugs! >

Copyright © 2010  IsecT Ltd.