More searches will uncover more vulnerabilities, as flawed systems are still prevalent.
Speaking at the CodenomiCON 2014 event in Las Vegas, cryptographer and C03 Systems CTO Bruce Schneier and former Presidential advisor and chairman of the board of Codenomicon, Howard Schmidt, said that they believed that the discovery of Heartbleed was one of many and if you kept looking, you would find more flaws.
Schmidt said that as attackers keep stock piling zero-days and keep searching, you will find more and more flaws, so the real problem was how to remediate them.
Schneier called Heartbleed “unique and not a typical vulnerability” as it did not seek access, and rare as it was like nothing that had been discovered for a long time. He said: “I was worried when it appeared as you needed to take steps to get security under control and it is something we have not got control back of, as there is no secure key.
“What it showed is that for everything we know about vulnerabilities, we know there are more of them, but when you patch them you are not making software more secure, but vulnerabilities are plentiful but to make a difference we need to get ahead of the bad guys in finding them. We need to understand how they work and I don’t think we do.”
Schmidt recalled the buffer overload and ASM1 discoveries, and he believed that flawed systems still exist in multiple areas. “Unless we design with fewer vulnerabilities, we will be dealing with this for years.”
Schneier said that we have gotten better and better at finding vulnerabilities and patching, so asked if everything is getting better, you have to ask why things are not better. “It is complexity which is the worst enemy of security and it is more complex, and getting worse as it improves,” he said. “It is counter-intuitive and more complexity means more vulnerabilities.”
