This is a question I've come across many times. When should you write a bug report, and when should you just send an email?
Generally speaking, it's best to be safe and enter a bug, since the bug tracking system will keep a history of any back-and-forth conversation that anybody can view. You just don't get that with email. I've seen many justifications for sending an email instead of entering a bug report, but in most cases, it still makes sense to enter a bug report.
Some common reasons for sending an email are:
1) "I don't have time to enter a bug." I'm sorry, but this is a pretty weak reason. If you have time to send an email, you have time to enter a bug. I've gotten long, drawn-out emails with detailed bug descriptions. These emails must have taken 10 to 15 minutes to write. It would have been just as easy to enter the same information in the bug tracker.
Granted, you really may be in a hurry and don't have time to do a "proper" bug report. You may not have time to confirm it can be reproduced. You may not have time to figure out who should be in the notification list. However, entering a bug with as much detail as you have and saying, "I'll clean this up tomorrow" is better than not entering a bug at all (as long as you really clean it up tomorrow). At least it will be tracked, and all stakeholders will be able to see it if they look.
Entering a quick bug will take no more than one extra minute when compared to a quick email. If you see a bug, enter it. Period.
2) "I'm not sure if it's a duplicate." For the most part, you should use the search function of the bug tracker. If you're short on time, see #1. If you wind up entering a duplicate, who cares? As long as you made an effort to find the duplicate, it's no big deal to have your bug closed in the next bug triage.
The only time this might be legitimate is if you're almost positive you've seen the bug before and can't find it in the bug tracker. Then, a quick, "I think this is a duplicate, do you know the bug number?" might be in order. However, if nobody knows the number, or you don't get a response, enter the bug. Again, a duplicate bug every once in awhile is no big deal.
3) "I don't like the bug tracker and email is just easier." There are three options: learn to live with it, find an alternative bug tracker, or find an alternative job. I've worked with many different bug trackers. Some were great. Some were horrible. I lived with the horrible trackers until they were replaced. Don't let the tool you use prevent you from doing your job.
4) "This is a serious bug, and we're going live tomorrow." It's still no excuse. Enter a quick bug (see #1). If you want to be absolutely sure the right people are aware of it, send an email saying, "I just found a show stopper. See bug #X!"
5) "I'm not sure if it's a bug." This is common. You don't want to enter a bunch of "as designed" bugs. On the other hand, you don't want bugs falling into an email void. First, find the specs and see if it is a bug. If so, enter it. If the specs aren't clear, you might email the project manager or some other engineers with a brief description of the problem. If you don't get an answer right away, enter the bug anyway.
However, this really shouldn't be a problem for your projects. A test engineer really should know the specs as well as the developers. If you don't know how the product is supposed to work, how can you test it? Of course, if you are looking at another project and stumble across what might be a bug, this is when you'll wind up having to send an email (or just hunting down the Project Manager and asking).
Thursday, July 28, 2011
Thursday, March 10, 2011
Insecurity through Perspicuity
I was having a discussion with a colleague about security. In particular, we were discussing whether or not we should use standard HTML ports for an Internet-facing application. I thought we shouldn't use them because it would increase the risk unecessarily.
When I mentioned this, his response was, "you can't rely on security through obscurity."
I agreed. However, I still insisted that the ports should be changed. My logic was that using standard ports exposes your service to more people, which is insecurity through perpicuity and an unecessary increase in the risk of being attacked.
One example that is sometimes given as an argument against security through obscurity is that you can't just hide your front door with bushes, leave the door unlocked, and expect nobody to break in. This is true, but it doesn't mean that just because you think your house is secure, you should put a note outside that says, "Be back in a week, I put my $50,000 cash in the safe."
By exposing standard ports, you're guaranteeing that every port scanner, even those configured for a minimum scan, will find your server. You may think it's secure, but when a 0-day exploit is discovered, there is a window of opportunity from when it's disclosed to when the patch can be applied on your server where you are vulnerable. No matter how closely you track security vulnerabilities, 0-days are always a risk.
If you're using standard ports, the number of people who are aware that you're running a vulnerable service is going to be many times higher than if you were running on non-standard ports. That means your risk of being attacked before you can patch is also many times higher.
When I mentioned this, his response was, "you can't rely on security through obscurity."
I agreed. However, I still insisted that the ports should be changed. My logic was that using standard ports exposes your service to more people, which is insecurity through perpicuity and an unecessary increase in the risk of being attacked.
One example that is sometimes given as an argument against security through obscurity is that you can't just hide your front door with bushes, leave the door unlocked, and expect nobody to break in. This is true, but it doesn't mean that just because you think your house is secure, you should put a note outside that says, "Be back in a week, I put my $50,000 cash in the safe."
By exposing standard ports, you're guaranteeing that every port scanner, even those configured for a minimum scan, will find your server. You may think it's secure, but when a 0-day exploit is discovered, there is a window of opportunity from when it's disclosed to when the patch can be applied on your server where you are vulnerable. No matter how closely you track security vulnerabilities, 0-days are always a risk.
If you're using standard ports, the number of people who are aware that you're running a vulnerable service is going to be many times higher than if you were running on non-standard ports. That means your risk of being attacked before you can patch is also many times higher.
Security in Consumer Network Products
Security is important for all software and hardware network products. However, when a security vulnerability is found in a consumer-grade product, all too often, I hear the argument that since the only attack vector is from the consumer's LAN, the priority to fix the vulnerability is low. After all, if users have intruders on their LAN, the vulnerability is the least of their worries.
Although this may be true to a certain extent, I still would argue against this. There are some reasons to investigate and address security vulnerabilities that may not be a real-world threat to consumers' data.
First, somebody could have a misconfigured wirelesss router. An attacker could get on their LAN withough their knowledge and wind up accessing their data stored on a NAS because of a bug that "nobody would realistically exploit." To be honest, this falls under the "they're on the LAN, so they have bigger problems" umbrella, but it is always an additional attack vector to consider.
Second, when the public finds out about an obvious exploitable security hole, especially one that is easily fixed, it makes the product and company look bad. People start to wonder what other problems are hidden in your product if you let out something that easy to find and fix.
Granted, not every security bug can or should be fixed, otherwise, you'd never release the product. For example, a potential Denial of Service (DoS) attack on a network device may not be a problem if that device is going to be behind a firewall. Even if an attacker gets on the LAN, are they really going to try to crash your media player?
However, regardless of the likelihood of a vulnerability being exploited, each known vulnerability should still be investigated to see how they might affect your product. I've seen cases where a DoS vulnerability was being triggered by a third-party device that was unintentionally sending malformed packets. We got reports from users that their device was crashing for no apparent reason. The logs didn't help, and we were unable to reproduce it. It was only after running a security scanner against the product that we found the vulnerability and were able to tie it to the crashes reported by users.
Of course, the stakes are raised when dealing with SMB or enterprise products. Even with consumer products, once you expose a single port to the WAN, security becomes critical, not just important.
Although this may be true to a certain extent, I still would argue against this. There are some reasons to investigate and address security vulnerabilities that may not be a real-world threat to consumers' data.
First, somebody could have a misconfigured wirelesss router. An attacker could get on their LAN withough their knowledge and wind up accessing their data stored on a NAS because of a bug that "nobody would realistically exploit." To be honest, this falls under the "they're on the LAN, so they have bigger problems" umbrella, but it is always an additional attack vector to consider.
Second, when the public finds out about an obvious exploitable security hole, especially one that is easily fixed, it makes the product and company look bad. People start to wonder what other problems are hidden in your product if you let out something that easy to find and fix.
Granted, not every security bug can or should be fixed, otherwise, you'd never release the product. For example, a potential Denial of Service (DoS) attack on a network device may not be a problem if that device is going to be behind a firewall. Even if an attacker gets on the LAN, are they really going to try to crash your media player?
However, regardless of the likelihood of a vulnerability being exploited, each known vulnerability should still be investigated to see how they might affect your product. I've seen cases where a DoS vulnerability was being triggered by a third-party device that was unintentionally sending malformed packets. We got reports from users that their device was crashing for no apparent reason. The logs didn't help, and we were unable to reproduce it. It was only after running a security scanner against the product that we found the vulnerability and were able to tie it to the crashes reported by users.
Of course, the stakes are raised when dealing with SMB or enterprise products. Even with consumer products, once you expose a single port to the WAN, security becomes critical, not just important.
Subscribe to:
Posts (Atom)