Bug disclosure, fix process improving
Computerworld - Several users welcomed the growing willingness of vendors and security researchers to work together to identify and fix software vulnerabilities in the wake of last week's disclosure of a major hole in a widely used e-mail protocol (see story).
But they also expressed concern over the practice by some in the security community to release vulnerability information to certain users before making it available to the public.
Atlanta-based security vendor Internet Security Systems Inc. (ISS) and Emeryville, Calif.-based Sendmail Inc. last week disclosed the existence of a major buffer-overflow vulnerability in the sendmail mail-transfer agent, which handles more than 50% of all Internet e-mail traffic.
ISS, which first discovered the hole in early December, said it began in mid-January to work closely with the National Infrastructure Protection Center -- now part of the U.S. Department of Homeland Security -- to warn government and military agencies of the flaw.
The sendmail incident exemplified a welcome change in attitude relating to vulnerability discovery, disclosure and response, users said.
"The security community is becoming more responsible and is making better decisions with regard to when they should disclose a vulnerability," said Mike Tindor, vice president of network operations at First USA Inc., an Internet service provider in St. Clairsville, Ohio.
There is a growing realization that "making a vulnerability public without a fix is not in the industry's best interest," said Anthony DeVoto, a Windows NT administrator at Volvo Finance North America Inc. in Montvale, N.J.
"It's kind of like a car company coming out on the 6 o'clock news and saying your car is going to blow up and they don't know how to fix it," said David Krauthamer, director of information systems at Advanced Fibre Communications Inc., a Petaluma, Calif.-based manufacturer of telecommunications equipment. "I think the software and security industry has matured to the point where it is unacceptable to put customers in a position of such vulnerability," he added.
Meanwhile, software vendors, which continue to come under heavy criticism for developing buggy products, are getting "a little bit better" at disclosing and responding to bug reports, said Edward York, chief technology officer at 724 Inc., a Lampoc, Calif.-based hosting provider.
Groups such as the Organization for Internet Safety are trying to propose standard guidelines for reporting and responding to vulnerability information. And several security companies have voluntarily adopted policies governing the release of vulnerability information.
"The processes surrounding vulnerability disclosure have changed significantly during the past few years for the community as a whole," said Thor Larholm, a security researcher at PivX Solutions LLC, a network security consultancy in Newport Beach, Calif. Instead of making ad hoc disclosures, PivX has a 30-day grace period for vendors to fix a problem before the public is made aware of it.
Despite such progress, other issues remain, users said.
For instance, ISS's decision to prenotify several government and military agencies of the problem is understandable given today's heightened security concerns, users said. But it highlights a practice that can encourage "information segregation and concealment," said Paul Schmehl, adjunct information security officer at The University of Texas at Dallas.
Many security organizations -- including the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and ISS -- routinely sell advance vulnerability information to paying subscribers. Strict nondisclosure agreements govern such prenotifications, said Dan Ingevaldson, a security researcher at ISS.
But "safe practice is that only the vendor should be notified [of a flaw] so they can test it and create a patch. Only then should the information be made available to anyone else," said York.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts