Every once in a while, Bruce Schneier comes up with a doozy. Caught this one today (written on 2/5):
"They find, on average, one security flaw per 1,000 lines of code. And when the flaw is fixed, everyone’s security improves."
I am talking about the latter half of the statement, of course. He’s obviously a smart guy, but this is a really naive thing to say – as if you wave your magic wand and the fix automatically applies to the tens or hundreds of thousands (millions?) of instances out there.
Actually, what happens is that security improves for some and in decreases significantly for others. This possibility occurs after risk spikes for the period between discovery/disclosure and patch application. Any individual entity’s risk increases if it doesn’t hit 100% patch level. This favors small companies and individuals heavily.
Specifically, he’s talking about the DHS paying to have open source code reviewed. And if this is code that the US Government is using, it’s hard to see how it can NOT help everyone. Don’t think of this as “every site is automatically patched,” think of it more as “getting rid of bugs in US Government systems improves the security for all data stored by those systems.” By this way of thinking, I think he’s dead on.
@Beau – That certainly is a better explanation for why he might have said what he said, but I still don’t think it holds much water.
It doesn’t help the 7 billion other people on the planet to have US Govt systems patched. Plus, it sounds to me like a bit of mental accounting to take into account the impact on one set of systems (US Govt) and not all systems where there might be sensitive data of yours.
It’s a good point, though, and I’ll think about it some more. Thanks for the feedback.