Does the Cloud Mean It's Past Time to Change Approaches to Vulnerability Testing?


One character can hold a lot of power; within a word, you can change "book" into "boot" or "wash" into "wish." Microsoft learned the lesson of what just one character could do when it was told that a typo in the ActiveX control MSVidCtl allowed hackers to exploit the company's flagship browser, Internet Explorer. The typo, an errant "&" character, was found in a modified earlier version of the ActiveX control. The bug has been tied to a rash of recent compromised Web sites.


Microsoft issued a stop-gap fix in the form of a killbit meant to block the use of the control. However, it then recanted, stating that the fix would not work because of the depth of the problem.


I am bringing this bug up to prove a point. In an earlier post, I mentioned that one of the advantages to using open source software is the fact that many people inside different organizations get to review the code. Would this bug have been caught if it were in open source? It's hard to say, but I love the saying coined by Eric Raymond, "given enough eyeballs, all bugs are shallow."


I don't have all of the answers, but I do know that if you continue to do the same things, you will continue to get the same results. Consider that more and more vendors are pushing us toward the cloud. We are becoming dependent on the browser for connectivity to more of our applications and data every day.


I am not stating definitively that open source software is a panacea and will fix all of our problems. I do find it interesting that other organizations do soch a good job at finding Microsoft's mistakes. Browser vendors want us to change the way we think about the browser; however, they don't want to change the way they QA their software. Maybe Microsoft should look at outsourcing its code review process?