Legal threat stops flaw info release
Sybase action spurs debate on disclosures
Computerworld - A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase's database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others.
Blocking the release of vulnerability information "would set a bad precedent" for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers has "significantly improved" the security of products, Powers said. "Preventing disclosure through the threat of legal action can only hurt security," he said.
But Kim Milford, information security manager at the University of Rochester in New York, said she thinks most IT support workers would contact their software vendors directly if security patches weren't effective or couldn't be applied to systems. In such cases, "hackers tend to benefit the most from the release of technical details" about security vulnerabilities, she said.
Dublin, Calif.-based Sybase this week sent a letter to Next Generation Security Software Ltd. warning of legal consequences if it went ahead with plans to release information about the flaws it discovered in Version 12.5.3 of Sybase's Adaptive Server Enterprise (ASE) software.
Surrey, England-based NGS initially disclosed the existence of the flaws only to Sybase, which released a fully patched and updated version of the affected software last month. In line with its stated practice of first waiting for vendors to issue patches, NGS had said it would publicly release details of the flaws on Monday. It decided not to after receiving Sybase's letter.
"We were quite shocked," David Litchfield, one of the founders of NGS, said via e-mail. "They claim that looking for security bugs comes under the banner of database performance testing and benchmarking." Litchfield noted that the license agreement for the development edition of ASE prohibits publication of performance testing and benchmarking results without Sybase's permission.
In an e-mailed statement, a Sybase spokeswoman defended the company's action and said it was motivated by concern for the security of its users. "Sybase does not object to publication of the existence of [security] issues discovered in its products," the statement read. "However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
The case highlights the need for more cooperation between software vendors and vulnerability researchers, said Eric Beasley, senior network manager at Baker Hill Corp., a Carmel, Ind.-based provider of application services to the banking industry.
"I think it's a very bad idea to try and squash vulnerability research because then, obviously, most [vendors] are not going to endeavor to make safer software," Beasley said. "Security through obscurity just does not work."
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts