Manualshelf

HP OSMS white paper: Security of Open Source Middleware Stacks

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU
11121314151617181920
In view of this, secure software contains no risks, as defined by your policy, and it contains no issues that
are exploitable. Therefore, truly secure software does not exist, because it is not possible to prove any
software is void of flaw. You must always assume software contains undiscovered security issues.
Proprietary and open source code are no different in this respect. This statement might appear rather bold;
however, this is a perspective you must realize when securing computer systems.
Remember that even the highest quality software contains a small percentage of flaws. Software engineering
and quality assurance principles attempt to minimize these flaws. All security flaws are considered bugs,
but the reverse is not true. When a bug has exploits, which an attacker can intentionally manipulate, the
bug becomes a security flaw. When flaws exist in certain circumstances, such as a component running
with a privilege mode, the flaw can become a security vulnerability, which attackers intentionally
exploit.Figure 3 (page 12) shows security threats reported to the United States Computer Emergency
Readiness Team (US CERT or CERT). For more information regarding CERT, see the Web site at:
http://www.us-cert.gov
Figure 3 CERT Vulnerability
Total vulnerabilities reported 1995– 2005. For 2006, data for only the first two quarters was available, so
the total is an estimate.
The discovery of exploitable flaws periodically makes systems insecure. To return your system to a secure
state, you apply a security patch, which fixes the software flaw and closes the exploitable vulnerability.
Therefore, keeping a system up to date with the most recent and secure versions is the means by which
you keep security lapses to a minimum.
The widespread use of automated attack tools and attacks against Internet-connected systems have become
so commonplace that CERT discontinued counting the number of incidents reported. In Figure 4, the
dashed line is only an estimation of incident count.
12