Home > Security News > RSA Conference: Middle ground hard to find in vulnerability disclosure debate
Security News:
EMAIL THIS LICENSING & REPRINTS

RSA Conference: Middle ground hard to find in vulnerability disclosure debate

By Dennis Fisher, Executive Editor
07 Feb 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

SAN FRANCISCO -- The long-standing debate over vulnerability disclosure practices is still raging among industry insiders, with little indication that a resolution is coming soon.

RSA Conference 2007

Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
At RSA Conference 2007 Wednesday, a panel discussion on the topic illustrated just how deep the divide is in some circles. Chris Wysopal, a well-known security researcher and CTO of Burlington, Mass.-based Veracode Inc., Pete Lindstrom, senior analyst at Midvale, Utah-based Burton Group, and Stephen Wu, an attorney with San Francisco-based Cooke Kobrick & Wu LLP, looked at the issue of when to disclose vulnerability information, and how much to publish. In the end, despite looking at the issue from a number of different angles, the panelists agreed on almost nothing.

Wysopal has been involved in responsible disclosure efforts for several years and has advocated the adoption of a standard set of disclosure practices for both researchers and software vendors. He argued that despite the problems vulnerability disclosure can sometimes cause for vendors and users, the benefits outweigh the drawbacks for the industry as a whole, and encourages software makers to be more responsive and open with their customers.

"The only problem I really have with the process is the amount of information that is released sometimes," Wysopal said. "In the future I think we may need to come up with some standards for that."

Past efforts to do just that have been largely unsuccessful, in large part because many researchers want the ability to release full details of a flaw if they feel the vendor is not responding quickly enough. Vendors, on the other hand, want nothing released until a patch is ready. In reality, things usually fall somewhere in the vast middle ground between those two extremes.

For some observers, however, that working compromise isn't enough. Lindstrom, for one, believes that researchers are wasting their time finding flaws and that the disclosure of vulnerabilities only serves to make matters worse by alerting attackers to holes they can exploit.

"I don't think the bug finders are terrorists, I think they're Don Quixotes," Lindstrom said. "How do we ever know if we're done? There are always vulnerabilities out there that we don't know about. Disclosure only works if you have a small number of places you have to fix or remediate.

"The bad guys don't have to play by the rules," he added. "What we've got to do is do a better job of challenging our developers to catalog their software and document how it's known to operate."

"One of the problems I see is Web 2.0. What does security mean in a world where your software runs on someone else's machine?"
Chris Wysopal,
security researcher and CTO of Burlington, Mass.-based Veracode Inc.
However, Wysopal said that when a researcher notifies a vendor of a flaw, it often leads to the discovery of multiple similar vulnerabilities that they might not have found otherwise.

"When you notify a vendor about one bug, they don't just fix that one. There are second and third order fixes here that are very important," He said. "If you find a SQL injection flaw, you can say, look your product takes input in 50 different places, you should look at all of those too and see if there's a problem."

The disclosure debate may be an exercise in futility soon though, as more and more of the applications that users run are Web-based and not running locally on their machines. That architecture makes it much more difficult for researchers to test applications.

"One of the problems I see is Web 2.0. What does security mean in a world where your software runs on someone else's machine?" Wysopal said. "Legally, I don't think someone can start staging attacks against the Gmail servers. All the testing on those applications has to be black-box testing. So the only people discovering vulnerabilities that way are going to be the bad guys."

<< Return to our special coverage of RSA Conference 2007



Tags: Information Security Incident ResponseInformation Security Laws, Investigations and EthicsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts