Are we taking vulnerabilities less seriously?

The OpenBSD IPv6 Remote DoS vulnerability has striked debate and strong reaction on whether denial-of-service is a security vulnerability or not. Let's go back to the fundamentals we all learned early on: C-I-A, Confidentiality, Integrity and Availability. We can have the most secure systems in the world by disconnecting them from everything and making them unavailable, both on the internet and physically. What good does this do for us?

Some may not see a DoS as serious as say remote execution or privilege escalation, but in many industries, availability is more important than confidentiality or integrity. What happens when medical systems are unavailable, or an online store's web site goes down? Availability of the systems is just as important as the confidentiality and integrity, and for us to think of availability as some luxury we can do without... makes having confidentiality and integrity pretty pointless.

Michael Howard posted his thoughts on judging Windows Vista security which has received criticism from Slashdot, ComputerWorld and MSRC stated it will not change how it rates vulnerabilities because of underlying technology. Lowering the criticality of a vulnerability because of some preventative technique in use, is a bad idea in my opinion. Richard Bejtlich stresses the fact, and Joanna Rutkowska stated it in her recent Dark Reading interview, "prevention eventually fails." These technologies in Vista supposed to prevent such vulnerabilities from happening, will eventually be exploited. The question then becomes, what do we do next? Let's not play the semantics game and just stick to fixing the issues in a timely manner.

Posted by Marcin on Sunday, March 18, 2007 in Security.