Computerworld - Is Sybase's management well intentioned and dumb, or a crowd of control freaks who want to dictate to everyone -- including Sybase customers -- exactly what they're allowed to say about security? The question comes up after Sybase threatened to sue Next Generation Security Software Ltd., a security research company in England. Last year, NGS found a batch of vulnerabilities in Sybase Adaptive Server and notified Sybase. Sybase issued patches for the holes. So far, so good.
But now, NGS wants to publish details of the problem, as is its usual practice. And Sybase says that if NGS does so, Sybase will sue.
On what grounds? Sybase is reportedly pointing to its license agreement, which states in part: "Results of benchmark or other performance tests run on the Program may not be disclosed to any third party without Sybase's prior written consent."
Let that one sink in. Sybase is claiming that finding security holes in one of its products qualifies as a "performance test." Sybase executives know that's bogus. But it's the only clause in the license agreement that sounds even remotely like it could apply. And so far, the threat has worked; NGS has delayed publishing its report.
Wait, it gets better. Here's the start of Sybase's official statement about the NGS situation: "Sybase constantly strives to improve the security and functionality of its software. Sybase appreciates the efforts of its customers and companies like NGS who occasionally find issues which are brought to Sybase's attention."
Did you catch it? That's right -- in talking about its threat against NGS, Sybase is specifically including any other customers who find problems with Sybase software too.
Sybase's statement goes on to say that the company is primarily concerned about the security of its customers and that "the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
Which sounds very well intentioned. It also sounds very dumb.
After all, the bad guys already know the details of these security holes. They've likely already reverse-engineered Sybase's patches and developed exploit code. They're surely not sitting around waiting for NGS's description of the problem.
Let's presume Sybase's patches work. Then for any customer who has applied them, the problem is fixed. And publishing the details of the vulnerability is a nonevent.
Except, of course, for customers who haven't applied the patches. Those customers are at risk. Every unpatched day is another opportunity for bad guys to attack them. If Sybase truly cares about the security of those customers, the vendor should be
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts