Legal threat stops flaw info release
Sybase action spurs debate on disclosures
Computerworld - A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase's database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others.
Blocking the release of vulnerability information "would set a bad precedent" for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers has "significantly improved" the security of products, Powers said. "Preventing disclosure through the threat of legal action can only hurt security," he said.
But Kim Milford, information security manager at the University of Rochester in New York, said she thinks most IT support workers would contact their software vendors directly if security patches weren't effective or couldn't be applied to systems. In such cases, "hackers tend to benefit the most from the release of technical details" about security vulnerabilities, she said.
Dublin, Calif.-based Sybase this week sent a letter to Next Generation Security Software Ltd. warning of legal consequences if it went ahead with plans to release information about the flaws it discovered in Version 12.5.3 of Sybase's Adaptive Server Enterprise (ASE) software.
Surrey, England-based NGS initially disclosed the existence of the flaws only to Sybase, which released a fully patched and updated version of the affected software last month. In line with its stated practice of first waiting for vendors to issue patches, NGS had said it would publicly release details of the flaws on Monday. It decided not to after receiving Sybase's letter.
"We were quite shocked," David Litchfield, one of the founders of NGS, said via e-mail. "They claim that looking for security bugs comes under the banner of database performance testing and benchmarking." Litchfield noted that the license agreement for the development edition of ASE prohibits publication of performance testing and benchmarking results without Sybase's permission.
In an e-mailed statement, a Sybase spokeswoman defended the company's action and said it was motivated by concern for the security of its users. "Sybase does not object to publication of the existence of [security] issues discovered in its products," the statement read. "However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
The case highlights the need for more cooperation between software vendors and vulnerability researchers, said Eric Beasley, senior network manager at Baker Hill Corp., a Carmel, Ind.-based provider of application services to the banking industry.
"I think it's a very bad idea to try and squash vulnerability research because then, obviously, most [vendors] are not going to endeavor to make safer software," Beasley said. "Security through obscurity just does not work."
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!