Over at the Open Sources blog, Savio Rodrigues calls attention to two critical security vulnerabilities in the Spring Framework for Java. They were discovered by security consultancy Ounce Labs, which disclosed the exploits in a detailed report. If you use Spring for critical business applications, you'll definitely want to be aware of the threats and take appropriate measures.
While awareness of security is always important, however, not everyone agrees that vocal public disclosure of vulnerabilities, as Ounce Labs and the Spring developers have done, is the right approach. For example, when working on the Linux kernel, Linus Torvalds prefers to keep security-related chatter to a minimum.
"I personally consider security bugs to be just 'normal bugs,'" Torvalds writes on the Linux kernel development mailing list. "I don't cover them up, but I also don't have any reason whatsoever to think it's a good idea to track them and announce them as something special." If nothing else, he says, doing so only gives would-be attackers an advantage when developing their exploits.
This is a perennial debate, and one that's likely to go on indefinitely. We should note, however, that it is by no means limited to software development. Security is a constant concern throughout the world -- not merely in other aspects of human society, but in the animal kingdom, as well. In an interview with New Scientist magazine, marine biologist Raphael Sagarin proposes that humans can gain a lot of insight into how to best address security issues by studying animal models.
"You can look at virtually any question about security through a biological lens," Sagarin says. "You look at what the most successful organisms do to solve their security problems, and then you try to use that."
Like organisms in nature, businesses want to be successful. One generally accepted means of getting ahead in business is to mediate risk wherever possible. That's what companies are doing when they subscribe to security alerts about their software: By staying informed about the latest vulnerabilities, they hope to minimize the risk that they will fall victim to unknown exploits.
"But organisms inherently understand that there is risk in life," Sagarin says. "The idea that we can eliminate these risks would be selected against quickly in the natural world, since any organism that tried to do so would not have enough resources left for reproduction, or feeding itself."
Apparently, Torvalds agrees -- quite explicitly. "I think the OpenBSD crowd is ," he says by way of example, "in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them."
Torvalds' jibes against rival operating systems aside, he makes a good point. According to Sagarin, humans are easily tempted to pay too much attention to specific threat signals, regardless of the overall level of danger. We sometimes call such signals "crying wolf" -- a phrase that undoubtedly hits home for marmot populations in the wild.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Agile in the Enterprise
Taking On Demand CRM Integration to the Next Level
CRM your salespeople will love
How to Beef Up Your Sales Pipeline
Email Archiving Implementation: Five Costly Mistakes to Avoid
Understanding Email Marketing: A Guide for SMBs
Achieving the impossible: Unlimited application scalability
Mimosa™ NearPoint™ for Microsoft® Exchange Server: Email Archiving 101
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
FrontRange Solutions launches HEAT Plus Mobile to reduce help desk costs and improve service management productivity 2008-12-02 15:15:00+11
AARNet Helps to Advance Indigenous Health 2008-12-02 12:44:00+11
Orbis selects Telstra International as its data centre partner for the UK, Europe and Middle East Region 2008-12-02 11:23:00+11
ComOps Deploys Corporate Performance Reporting Solution For Healthcare Test Manufacturer 2008-12-02 10:09:00+11
Mornington Peninsula Shire implements Objective to manage knowledge and deliver service excellence 2008-12-02 09:56:00+11
Gaining Competitive Advantage Through Enterprise Planning
No matter how good its products or innovative its services, no organization can perform to its full potential without an adequate planning structure in place. Discover how this can be done by reading on.
Buying Guides
Latest Products
Buying Guides
