Legal threat stops flaw info release
Sybase action spurs debate on disclosures
Computerworld - A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase's database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others.
Blocking the release of vulnerability information "would set a bad precedent" for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers has "significantly improved" the security of products, Powers said. "Preventing disclosure through the threat of legal action can only hurt security," he said.
But Kim Milford, information security manager at the University of Rochester in New York, said she thinks most IT support workers would contact their software vendors directly if security patches weren't effective or couldn't be applied to systems. In such cases, "hackers tend to benefit the most from the release of technical details" about security vulnerabilities, she said.
Dublin, Calif.-based Sybase this week sent a letter to Next Generation Security Software Ltd. warning of legal consequences if it went ahead with plans to release information about the flaws it discovered in Version 12.5.3 of Sybase's Adaptive Server Enterprise (ASE) software.
Surrey, England-based NGS initially disclosed the existence of the flaws only to Sybase, which released a fully patched and updated version of the affected software last month. In line with its stated practice of first waiting for vendors to issue patches, NGS had said it would publicly release details of the flaws on Monday. It decided not to after receiving Sybase's letter.
"We were quite shocked," David Litchfield, one of the founders of NGS, said via e-mail. "They claim that looking for security bugs comes under the banner of database performance testing and benchmarking." Litchfield noted that the license agreement for the development edition of ASE prohibits publication of performance testing and benchmarking results without Sybase's permission.
In an e-mailed statement, a Sybase spokeswoman defended the company's action and said it was motivated by concern for the security of its users. "Sybase does not object to publication of the existence of [security] issues discovered in its products," the statement read. "However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
The case highlights the need for more cooperation between software vendors and vulnerability researchers, said Eric Beasley, senior network manager at Baker Hill Corp., a Carmel, Ind.-based provider of application services to the banking industry.
"I think it's a very bad idea to try and squash vulnerability research because then, obviously, most [vendors] are not going to endeavor to make safer software," Beasley said. "Security through obscurity just does not work."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts