Oracle and Bug Hunters Clash Over Flaw Reports
Vendor blasts ‘irresponsible’ practices; researchers say their work helps users
Computerworld - The long-standing tension between software vendors and independent researchers who try to find security holes in products came into public view late last month, when Oracle Corp. criticized bug hunters after it came under fire for its security practices.
In a message posted Nov. 27 in a blog on Oracle’s Web site, Eric Maurice, manager of security in the company’s global technology business unit, said Oracle wouldn’t let external perceptions drive its software security policies. Maurice reiterated Oracle’s commitment to strong security practices but said it would continue to prioritize vulnerabilities based on their criticality and not on who had discovered them.
He also blasted security researchers who disclose so-called zero-day flaws before vendors make fixes available for them. “We consider such practices to be irresponsible, as they can result in needlessly exposing customers to risk of attack,” Maurice wrote.
The blog post was an apparent response to what Maurice described as “a flurry of articles and blog entries” about Oracle security issues.
For example, Next Generation Security Software Ltd., a Surrey, England-based security research firm that has consulted with Microsoft Corp. on security issues in the past, released a study showing that Oracle’s databases have had far more vulnerabilities than Microsoft’s SQL Server has had over the past six years.
Meanwhile, a security researcher in Argentina announced — then abruptly canceled — plans to release information about an Oracle zero-day flaw every day for one week in December.
Cesar Cerrudo, founder of Argeniss, an IT security firm in Buenos Aires, wouldn’t explain why he dropped the bug-disclosure plans. But via e-mail, Cerrudo defended the work done by security researchers and said vendors should be more concerned about “responsible software development” than about proper vulnerability disclosure practices. “Vendors are used to researchers playing nice,” he wrote. “The situation should change. Research costs thousands of dollars, and right now vendors are getting [it for] free.”
H.D. Moore, founder of the controversial Metasploit Project, which releases vulnerability information and tool kits for writing attack code, rebutted the notion that such initiatives only benefit malicious hackers. The information made available by Metasploit “puts the ‘good guys’ on equal footing with the folks who already have the skill to launch these types of attacks,” Moore wrote as part of an e-mail interview.
Security flaws are unlikely to remain undiscovered for long, whether bug hunters go looking for them or not, said Robert Palmer, vice president of IT at Lenox Inc., a Lawrenceville, N.J.-based maker oftableware and giftware.
Independent researchers provide “a valuable service,” not just to users but to software vendors as well, Palmer said. He added that he wants to see vendors bring bug hunters into the software development cycle. One way to do so would be to give researchers access to alpha or beta code “with the express intent” of letting them try to crack it before the software is commercially released, Palmer said.
But Andrew Plato, president of Anitian Enterprise Security, a consulting and systems integration firm in Beaverton, Ore., said researchers should give vendors at least 30 days to address vulnerabilities before reporting them publicly. “One of the largest problems with independent vulnerability research is blackmailing and grandstanding,” Plato said.
He added that as long as bug hunters follow generally accepted flaw-reporting practices, they serve an important role. “Obscurity is not security,” Plato said. “It’s better to know about a bug and get it fixed than to have it hidden.”
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts