Sidebar
3-6: Is the Cure Worse Than the Disease?
These days, a typical application program
such as a word-processor or spreadsheet package is sold to its user with no
guarantee of quality. As problems are discovered by users or developers,
patches are made available to be downloaded from the web and applied to the
faulty system. This style of "quality control" relies on the users
and system administrators to keep up with the history of releases and patches
and to apply the patches in a timely manner. Moreover, each patch usually
assumes that earlier patches can be applied; ignore a patch at your peril.
For example, Forno [FOR01] points
out that an organization hoping to secure a web server running Windows NT 4.0's
IIS had to apply over 47 patches as part of a service pack or available as a
download from Microsoft. Such stories suggest that it may cost more to maintain
an application or system than it cost to buy the application or system in the
first place! Many organizations, especially small businesses, lack the
resources for such an effort. As a consequence, they neglect to fix known system
problems, which can then be exploited by hackers writing malicious code.
Blair [BLA01] describes a
situation shortly after the end of the Cold War when the United States
discovered that Russia was tracking its nuclear weapons materials by using a
paper-based system. That is, the materials tracking system consisted of boxes
of paper filled with paper receipts. In a gesture of friendship, the Los Alamos
National Lab donated to Russia the Microsoft software it uses to track its own
nuclear weapons materials. However, experts at the renowned Kurchatov Institute
soon discovered that over time some files become invisible and inaccessible! In
early 2000, they warned the United States. To solve the problem, the United
States told Russia to upgrade to the next version of the Microsoft software.
But the upgrade had the same problem, plus a security flaw that would allow
easy access to the database by hackers or unauthorized parties.
Sometimes
patches themselves create new problems as they are fixing old ones. It is well
known in the software reliability community that testing and fixing sometimes
reduce reliability, rather than improve it. And with the complex interactions
between software packages, many computer system managers prefer to follow the
adage "if it ain't broke, don't fix it," meaning that if there is no
apparent failure, they would rather not risk causing one from what seems like
an unnecessary patch. So there are several ways that the continual bug-patching
approach to security may actually lead to a less secure product than you
started with.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.