Computerworld - Is Sybase's management well intentioned and dumb, or a crowd of control freaks who want to dictate to everyone -- including Sybase customers -- exactly what they're allowed to say about security? The question comes up after Sybase threatened to sue Next Generation Security Software Ltd., a security research company in England. Last year, NGS found a batch of vulnerabilities in Sybase Adaptive Server and notified Sybase. Sybase issued patches for the holes. So far, so good.
But now, NGS wants to publish details of the problem, as is its usual practice. And Sybase says that if NGS does so, Sybase will sue.
On what grounds? Sybase is reportedly pointing to its license agreement, which states in part: "Results of benchmark or other performance tests run on the Program may not be disclosed to any third party without Sybase's prior written consent."
Let that one sink in. Sybase is claiming that finding security holes in one of its products qualifies as a "performance test." Sybase executives know that's bogus. But it's the only clause in the license agreement that sounds even remotely like it could apply. And so far, the threat has worked; NGS has delayed publishing its report.
Wait, it gets better. Here's the start of Sybase's official statement about the NGS situation: "Sybase constantly strives to improve the security and functionality of its software. Sybase appreciates the efforts of its customers and companies like NGS who occasionally find issues which are brought to Sybase's attention."
Did you catch it? That's right -- in talking about its threat against NGS, Sybase is specifically including any other customers who find problems with Sybase software too.
Sybase's statement goes on to say that the company is primarily concerned about the security of its customers and that "the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
Which sounds very well intentioned. It also sounds very dumb.
After all, the bad guys already know the details of these security holes. They've likely already reverse-engineered Sybase's patches and developed exploit code. They're surely not sitting around waiting for NGS's description of the problem.
Let's presume Sybase's patches work. Then for any customer who has applied them, the problem is fixed. And publishing the details of the vulnerability is a nonevent.
Except, of course, for customers who haven't applied the patches. Those customers are at risk. Every unpatched day is another opportunity for bad guys to attack them. If Sybase truly cares about the security of those customers, the vendor should be
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts