Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Study: Law puts damper on Web security research

Finding flaws will get you flak, let alone disclosing them

June 12, 2007 12:00 PM ET

TechWorld.com - Web security research is being seriously hampered by laws that punish researchers for even attempting to locate flaws in Web software, much less disclosing those flaws, according to a new study.

The report is the first by the Computer Security Institute (CSI), a research and training organization under the aegis of CMP Technology. It draws on discussions by a broad working group, including security researchers and representatives of U.S. law enforcement agencies.

The upshot is that current legal frameworks designed to allow prosecution of Web attackers also make it next to impossible to legally spot security flaws in the Web 2.0 applications quickly becoming ubiquitous on the Internet.

Those researchers who do feel safe probing Web software for flaws are probably not aware of their real legal position, the report said.

Unlike researchers who address offline software and operating systems, Web software researchers face significant legal restrictions designed to trap attackers, according to Jeremiah Grossman, chief technology officer at WhiteHat Security Inc. and a member of the working group.

"Under some laws, a researcher could find himself prosecuted for simply looking for Web site vulnerability, much less disclosing it publicly," he said in a statement.

The report was released Monday at CSI's NetSec '07 conference in Scottsdale, Ariz.

It suggests that changes may be needed if the emerging ecosystem of Web applications is to be kept secure. That could include changes in the law, including to the assignment of liability, how "damage" is quantified and how disclosure and criminal intent figure into the picture, the report said.

Short of changes to the law, the report suggested Web sites could encourage vulnerability disclosures through anonymous tip lines or the use of "dummy" sites specifically for the use of researchers.

The working group included organizations such as Fortify Software Inc., SPI Labs, the U.S. Department of Justice, Cenzic Inc. and the Electronic Frontier Foundation.


Reprinted with permission from

For more enterprise technology news from the U.K., please visit TechWorld.com. Copyright 2006 IDG, all rights reserved.

Jump to comments

web security research

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

What People Are Saying

White Papers & Webcasts

Share our Strength
Download Now  

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...