web apps are homogenous?

[list-spam at secureconsulting.net (Benjamin Tomhave)]

Jon,

I think you're getting out of the scope of the costing exercise. The
research and estimates around "time to fix" are based on the cost
associated with developing the patch, not with deploying it. One could
argue that the cost of fixing bugs - particularly major ones - is much
higher for web applications given that they are more likely to be
rapidly deployed and that the discovery of the bug is more likely to be
widely publicized (especially if it leads to a breach). Everybody has a
reasonable expectation that widely deployed commercial software is going
to have various bugs over its life (e.g. Windows, Adobe products), while
people seem to still be generally surprised when holes pop-up in web apps.

Now, that being said, it is still a valid question as to if there is a
cost differential between fix classic compiled code and modern web code.
Toward that end, I would recommend looking into Laurie Williams' work at
NCSU. She has inherited John Musa's Software Reliability Engineering
legacy, is active in the field, and has published a number of articles
and papers potentially relevant to this field. See:
http://collaboration.csc.ncsu.edu/laurie/

fwiw.

-ben

On 2/25/10 1:56 AM, Jon McClintock wrote:
> On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote:
> > I don't think "webness" conveys any more homogeneity than, say
> > "windowsness" or "linuxness."
> >
> > What part of being a web application provides homogeneity in a way
> > that makes patching cheaper?
>
> In a word, control. Let's compare two different organizations: a 
> commercial software development company, and a web commerce company. 
> They both develop software, but how the software is deployed and
> managed is widely different.
>
> Commercial software is created by one party, and consumed by
> multiple other parties. Those parties may run it in widely different
> operating environments, with different network, software and harware 
> configurations. They may be running old versions of the software, or 
> using it in novel ways.
>
> If the commercial software development company has to patch a 
> vulnerability, they need to first determine which releases of the 
> software need to be patched, develop and test a patch for each
> supported version, test it across the plethora different
> configurations their customers may be running, develop release notes
> and a security advisory, make the patch available, and support their
> customers while they are patching.
>
> For a web commerce company, however, the picture is entirely
> different. While their production fleet may comprise hundreds, or
> even thousands, of servers, they're likely all running the exact same
> software and configuration, using a configuration management system
> to deploy the website software and keep it in sync.
>
> If the web commerce company identifies a vulnerability in their
> website, they can debug the running stack, create a fix, test it
> against an exact replica of the production stack, and use automated
> tools to deploy the patch to their entire fleet in one operation.
>
> -Jon
>
>
>
> _______________________________________________ Secure Coding mailing
> list (SC-L) SC-L at securecoding.org List information, subscriptions,
> etc - http://krvw.com/mailman/listinfo/sc-l List charter available at
> - http://www.securecoding.org/list/charter.php SC-L is hosted and
> moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free,
> non-commercial service to the software security community. 
> _______________________________________________

-- 
Benjamin Tomhave, MS, CISSP
tomhave at secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"Oh, so they have internet on computers now!"
Homer Simpson