Learning from Disaster

David A. Wheeler

2021-01-16 (first 2015-02-13)

Many serious computer security vulnerabilities have been found over the years. I believe that those involved in developing or operating computer systems can - and should - learn from these past mistakes.

This is a collection of essays, mostly by me, that briefly explain what happened and focus on lessons to be learned from various vulnerabilities or computer security problems (aka “disasters”). We humans have been sitting around campfires since ancient times, telling stories and trying to glean future lessons from those stories. These are far more modern stories, but these stories really did happen and there are important lessons to be learned from them. Please, sit back and enjoy the stories... but more importantly, please apply some of these lessons to prevent them from happening again.

Here are the essays:

  1. How to Prevent the next Heartbleed (Heartbleed)
  2. Shellshock
  3. The Apple goto fail vulnerability: lessons learned (goto fail)
  4. POODLE attack against SSLv3 (POODLE)
  5. Sony Pictures, Lax Security, and Passwords (Sony)
  6. What the GHOST tells us about free software vulnerability management by Hanno Böck (GHOST)
  7. Who decides when you need to update vulnerable software? (Equifax)
  8. Subversion of bootstrap-sass
  9. Preventing Supply Chain Attacks like SolarWinds

Each disaster is fundamentally a story of things that went wrong. I think each tale is really interesting, especially since they each give us an opportunity to learn and do better. I hope you take some of those lessons to heart. Perhaps more importantly, I hope you use these as examples of ways to look at other events to determine what can be learned from them. If we do not learn from history, we risk repeating it.

Feel free to see my home page at https://dwheeler.com. You may also want to look at my paper Why OSS/FS? Look at the Numbers! and my book on how to develop secure programs.

(C) Copyright 2014-2021 David A. Wheeler.