A biological approach to security
Nervous marmots and masturbating monkeys: We can learn a lot about how to address software vulnerabilities by studying how animals react to threats in the wild.
Follow @infoworldOver at the Open Sources blog, Savio Rodrigues calls attention to two critical security vulnerabilities in the Spring Framework for Java. They were discovered by security consultancy Ounce Labs, which disclosed the exploits in a detailed report. If you use Spring for critical business applications, you'll definitely want to be aware of the threats and take appropriate measures.
While awareness of security is always important, however, not everyone agrees that vocal public disclosure of vulnerabilities, as Ounce Labs and the Spring developers have done, is the right approach. For example, when working on the Linux kernel, Linus Torvalds prefers to keep security-related chatter to a minimum.
"I personally consider security bugs to be just 'normal bugs,'" Torvalds writes on the Linux kernel development mailing list. "I don't cover them up, but I also don't have any reason whatsoever to think it's a good idea to track them and announce them as something special." If nothing else, he says, doing so only gives would-be attackers an advantage when developing their exploits.
This is a perennial debate, and one that's likely to go on indefinitely. We should note, however, that it is by no means limited to software development. Security is a constant concern throughout the world -- not merely in other aspects of human society, but in the animal kingdom, as well. In an interview with New Scientist magazine, marine biologist Raphael Sagarin proposes that humans can gain a lot of insight into how to best address security issues by studying animal models.
"You can look at virtually any question about security through a biological lens," Sagarin says. "You look at what the most successful organisms do to solve their security problems, and then you try to use that."
Like organisms in nature, businesses want to be successful. One generally accepted means of getting ahead in business is to mediate risk wherever possible. That's what companies are doing when they subscribe to security alerts about their software: By staying informed about the latest vulnerabilities, they hope to minimize the risk that they will fall victim to unknown exploits.
