Bug disclosure, fix process improving
Computerworld -
Several users welcomed the growing willingness of vendors and security researchers to work together to identify and fix software vulnerabilities in the wake of last week's disclosure of a major hole in a widely used e-mail protocol (see story).
But they also expressed concern over the practice by some in the security community to release vulnerability information to certain users before making it available to the public.
Atlanta-based security vendor Internet Security Systems Inc. (ISS) and Emeryville, Calif.-based Sendmail Inc. last week disclosed the existence of a major buffer-overflow vulnerability in the sendmail mail-transfer agent, which handles more than 50% of all Internet e-mail traffic.
ISS, which first discovered the hole in early December, said it began in mid-January to work closely with the National Infrastructure Protection Center -- now part of the U.S. Department of Homeland Security -- to warn government and military agencies of the flaw.
The sendmail incident exemplified a welcome change in attitude relating to vulnerability discovery, disclosure and response, users said.
"The security community is becoming more responsible and is making better decisions with regard to when they should disclose a vulnerability," said Mike Tindor, vice president of network operations at First USA Inc., an Internet service provider in St. Clairsville, Ohio.
There is a growing realization that "making a vulnerability public without a fix is not in the industry's best interest," said Anthony DeVoto, a Windows NT administrator at Volvo Finance North America Inc. in Montvale, N.J.
"It's kind of like a car company coming out on the 6 o'clock news and saying your car is going to blow up and they don't know how to fix it," said David Krauthamer, director of information systems at Advanced Fibre Communications Inc., a Petaluma, Calif.-based manufacturer of telecommunications equipment. "I think the software and security industry has matured to the point where it is unacceptable to put customers in a position of such vulnerability," he added.
Meanwhile, software vendors, which continue to come under heavy criticism for developing buggy products, are getting "a little bit better" at disclosing and responding to bug reports, said Edward York, chief technology officer at 724 Inc., a Lampoc, Calif.-based hosting provider.
Groups such as the Organization for Internet Safety are trying to propose standard guidelines for reporting and responding to vulnerability information. And several security companies have voluntarily adopted policies governing the release of vulnerability information.
"The processes surrounding vulnerability disclosure have changed significantly during the past few years for the community as a whole," said Thor Larholm, a security researcher at PivX Solutions LLC, a network security consultancy in Newport Beach, Calif. Instead of making ad hoc disclosures, PivX has a 30-day grace period for vendors to fix a problem before the public is made aware of it.
Questionable Practices
Despite such progress, other issues remain, users said.
For instance, ISS's decision to prenotify several government and military agencies of the problem is understandable given today's heightened security concerns, users said. But it highlights a practice that can encourage "information segregation and concealment," said Paul Schmehl, adjunct information security officer at The University of Texas at Dallas.
Many security organizations -- including the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and ISS -- routinely sell advance vulnerability information to paying subscribers. Strict nondisclosure agreements govern such prenotifications, said Dan Ingevaldson, a security researcher at ISS.
But "safe practice is that only the vendor should be notified [of a flaw] so they can test it and create a patch. Only then should the information be made available to anyone else," said York.
Security
Additional Resources



White Papers & Webcasts
The State of PCI DSS Compliance at Organizations Today
Download this resource today!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Eradicate Spam & Gain 100% Asurance of Clean Mailboxes
Get this paper now!
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Mastering eDiscovery: The IT Manager's Guide to Preservation, Protection & Production
Get this paper now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
