Over at the Open Sources blog, Savio Rodrigues calls attention to two critical security vulnerabilities in the Spring Framework for Java. They were discovered by security consultancy Ounce Labs, which disclosed the exploits in a detailed report. If you use Spring for critical business applications, you'll definitely want to be aware of the threats and take appropriate measures.
While awareness of security is always important, however, not everyone agrees that vocal public disclosure of vulnerabilities, as Ounce Labs and the Spring developers have done, is the right approach. For example, when working on the Linux kernel, Linus Torvalds prefers to keep security-related chatter to a minimum.
"I personally consider security bugs to be just 'normal bugs,'" Torvalds writes on the Linux kernel development mailing list. "I don't cover them up, but I also don't have any reason whatsoever to think it's a good idea to track them and announce them as something special." If nothing else, he says, doing so only gives would-be attackers an advantage when developing their exploits.
This is a perennial debate, and one that's likely to go on indefinitely. We should note, however, that it is by no means limited to software development. Security is a constant concern throughout the world -- not merely in other aspects of human society, but in the animal kingdom, as well. In an interview with <i>New Scientist</i> magazine, marine biologist Raphael Sagarin proposes that humans can gain a lot of insight into how to best address security issues by studying animal models.
"You can look at virtually any question about security through a biological lens," Sagarin says. "You look at what the most successful organisms do to solve their security problems, and then you try to use that."
Like organisms in nature, businesses want to be successful. One generally accepted means of getting ahead in business is to mediate risk wherever possible. That's what companies are doing when they subscribe to security alerts about their software: By staying informed about the latest vulnerabilities, they hope to minimize the risk that they will fall victim to unknown exploits.
"But organisms inherently understand that there is risk in life," Sagarin says. "The idea that we can eliminate these risks would be selected against quickly in the natural world, since any organism that tried to do so would not have enough resources left for reproduction, or feeding itself."
Apparently, Torvalds agrees -- quite explicitly. "I think the OpenBSD crowd is ," he says by way of example, "in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them."
Torvalds' jibes against rival operating systems aside, he makes a good point. According to Sagarin, humans are easily tempted to pay too much attention to specific threat signals, regardless of the overall level of danger. We sometimes call such signals "crying wolf" -- a phrase that undoubtedly hits home for marmot populations in the wild.