Bug disclosure, fix process improving
Computerworld - Several users welcomed the growing willingness of vendors and security researchers to work together to identify and fix software vulnerabilities in the wake of last week's disclosure of a major hole in a widely used e-mail protocol (see story).
But they also expressed concern over the practice by some in the security community to release vulnerability information to certain users before making it available to the public.
Atlanta-based security vendor Internet Security Systems Inc. (ISS) and Emeryville, Calif.-based Sendmail Inc. last week disclosed the existence of a major buffer-overflow vulnerability in the sendmail mail-transfer agent, which handles more than 50% of all Internet e-mail traffic.
ISS, which first discovered the hole in early December, said it began in mid-January to work closely with the National Infrastructure Protection Center -- now part of the U.S. Department of Homeland Security -- to warn government and military agencies of the flaw.
The sendmail incident exemplified a welcome change in attitude relating to vulnerability discovery, disclosure and response, users said.
"The security community is becoming more responsible and is making better decisions with regard to when they should disclose a vulnerability," said Mike Tindor, vice president of network operations at First USA Inc., an Internet service provider in St. Clairsville, Ohio.
There is a growing realization that "making a vulnerability public without a fix is not in the industry's best interest," said Anthony DeVoto, a Windows NT administrator at Volvo Finance North America Inc. in Montvale, N.J.
"It's kind of like a car company coming out on the 6 o'clock news and saying your car is going to blow up and they don't know how to fix it," said David Krauthamer, director of information systems at Advanced Fibre Communications Inc., a Petaluma, Calif.-based manufacturer of telecommunications equipment. "I think the software and security industry has matured to the point where it is unacceptable to put customers in a position of such vulnerability," he added.
Meanwhile, software vendors, which continue to come under heavy criticism for developing buggy products, are getting "a little bit better" at disclosing and responding to bug reports, said Edward York, chief technology officer at 724 Inc., a Lampoc, Calif.-based hosting provider.
Groups such as the Organization for Internet Safety are trying to propose standard guidelines for reporting and responding to vulnerability information. And several security companies have voluntarily adopted policies governing the release of vulnerability information.
"The processes surrounding vulnerability disclosure have changed significantly during the past few years for the community as a whole," said Thor Larholm, a security researcher at PivX Solutions LLC, a network security consultancy in Newport Beach, Calif. Instead of making ad hoc disclosures, PivX has a 30-day grace period for vendors to fix a problem before the public is made aware of it.
Despite such progress, other issues remain, users said.
For instance, ISS's decision to prenotify several government and military agencies of the problem is understandable given today's heightened security concerns, users said. But it highlights a practice that can encourage "information segregation and concealment," said Paul Schmehl, adjunct information security officer at The University of Texas at Dallas.
Many security organizations -- including the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and ISS -- routinely sell advance vulnerability information to paying subscribers. Strict nondisclosure agreements govern such prenotifications, said Dan Ingevaldson, a security researcher at ISS.
But "safe practice is that only the vendor should be notified [of a flaw] so they can test it and create a patch. Only then should the information be made available to anyone else," said York.
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!