Ingram issued the warning in a speech at the Association of anti-Virus Asia Researchers (AVAR) 2003 conference in Sydney yesterday. According to Ingram, system administrators are dealing with an overload of patches, which may be making things more difficult.
"If you are finding major vulnerabilities in commonly deployed operating systems... at an increased frequency, we are putting extreme pressure on system administrators to deal with those issues," he told the conference. "Patching is not a security panacea because system architecture and design and maintenance is probably as important."
While the explosion in security vulnerability research has led to the discovery and elimination of security glitches, Ingram says we should be looking further ahead. "At the moment we have professional research labs that are falling over each other to find vulnerabilities in particular operating systems and to publish those before everyone else," he explained. "In producing the next serious vulnerability, I'm not sure if we're making anything more secure than they were before... [are] the research labs are doing this for the benefit of the Internet population? We may have to review that and see if it's occurring."
Among those claiming system administrators are struggling with the frequency of security updates is Microsoft's chief executive Steve Ballmer, who recently announced a change to Microsoft's patch release schedule to ease the burden on system administrators. It now releases security fixes on a monthly cycle, instead of weekly.
The massive demand on security administrators to keep up to date with the latest bugs may be making things worse, Ingram said. "The patch model has never worked, but if we overload it, it becomes even worse," he warned. "[It's] happening faster than we can deal with."
A key to a long-term improvement in security is to eliminate the vulnerabilities in the first place, Ingram said. "We constantly go at the vendors about the quality of their software and we suggest to the vendors that their products will be improved significantly if they were to do [better] planning, design, testing and delivery. We believe that you can find buffer overflows in software if you do enough testing," he said.
