"With security the focus of this year’s Australian Unix Users Group (AUUG) conference, OpenBSD founder and project lead Theo de Raadt was invited to speak on exploit mitigation techniques. In an exclusive interview with Computerworld's Rodney Gedda, the man behind an operating system that lays claim to only one remote exploit in the default install in seven years, reveals where we are headed – and how far we have to go – in the search for more secure software
What are some of the things that the software industry today is neglecting or ignoring in terms of security and why do we have some many security problems?
Almost all the security problems that happen in software, like probably 95 percent of them, are low-level programmer errors. What happens is people are misusing program functions; they think they know how to use them but they’re making very, very dumb errors and very small errors. These are things that we’ve been getting away with forever. The things that people learn from these things are copied by people reading code. These erroneous paradigms are being copied into newer pieces of code over, and over, and over. So now with the open source community and the close source community, we are faced with, let’s say billions of lines of source code, all written by people who have made the same paradigm errors and passed them on to the next program. That’s why we have security holes. An attacker is using the unintended side-effect of a bug, and since he understands them, he takes the unintended side-effects and twists them to give him privilege. He gets himself privilege because the machine behaves so regularly.
The attacker is always going to know how to do this. The only way we can solve this is by making the environment harsh or by fixing the bugs. And we know that fixing the bugs is never going to happen when we’re talking billions of lines of code. We’ve been trying for a while to do that. That’s why we are having all the security problems."