Bug disclosure, fix process improving
Computerworld - Several users welcomed the growing willingness of vendors and security researchers to work together to identify and fix software vulnerabilities in the wake of last week's disclosure of a major hole in a widely used e-mail protocol (see story).
But they also expressed concern over the practice by some in the security community to release vulnerability information to certain users before making it available to the public.
Atlanta-based security vendor Internet Security Systems Inc. (ISS) and Emeryville, Calif.-based Sendmail Inc. last week disclosed the existence of a major buffer-overflow vulnerability in the sendmail mail-transfer agent, which handles more than 50% of all Internet e-mail traffic.
ISS, which first discovered the hole in early December, said it began in mid-January to work closely with the National Infrastructure Protection Center -- now part of the U.S. Department of Homeland Security -- to warn government and military agencies of the flaw.
The sendmail incident exemplified a welcome change in attitude relating to vulnerability discovery, disclosure and response, users said.
"The security community is becoming more responsible and is making better decisions with regard to when they should disclose a vulnerability," said Mike Tindor, vice president of network operations at First USA Inc., an Internet service provider in St. Clairsville, Ohio.
There is a growing realization that "making a vulnerability public without a fix is not in the industry's best interest," said Anthony DeVoto, a Windows NT administrator at Volvo Finance North America Inc. in Montvale, N.J.
"It's kind of like a car company coming out on the 6 o'clock news and saying your car is going to blow up and they don't know how to fix it," said David Krauthamer, director of information systems at Advanced Fibre Communications Inc., a Petaluma, Calif.-based manufacturer of telecommunications equipment. "I think the software and security industry has matured to the point where it is unacceptable to put customers in a position of such vulnerability," he added.
Meanwhile, software vendors, which continue to come under heavy criticism for developing buggy products, are getting "a little bit better" at disclosing and responding to bug reports, said Edward York, chief technology officer at 724 Inc., a Lampoc, Calif.-based hosting provider.
Groups such as the Organization for Internet Safety are trying to propose standard guidelines for reporting and responding to vulnerability information. And several security companies have voluntarily adopted policies governing the release of vulnerability information.
"The processes surrounding vulnerability disclosure have changed significantly during the past few years for the community as a whole," said Thor Larholm, a security researcher at PivX Solutions LLC, a network security consultancy in Newport Beach, Calif. Instead of making ad hoc disclosures, PivX has a 30-day grace period for vendors to fix a problem before the public is made aware of it.
Despite such progress, other issues remain, users said.
For instance, ISS's decision to prenotify several government and military agencies of the problem is understandable given today's heightened security concerns, users said. But it highlights a practice that can encourage "information segregation and concealment," said Paul Schmehl, adjunct information security officer at The University of Texas at Dallas.
Many security organizations -- including the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and ISS -- routinely sell advance vulnerability information to paying subscribers. Strict nondisclosure agreements govern such prenotifications, said Dan Ingevaldson, a security researcher at ISS.
But "safe practice is that only the vendor should be notified [of a flaw] so they can test it and create a patch. Only then should the information be made available to anyone else," said York.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts