SAN FRANCISCO -- The long-standing debate over vulnerability disclosure practices is still raging among industry...
insiders, with little indication that a resolution is coming soon.
Wysopal has been involved in responsible disclosure efforts for several years and has advocated the adoption of a standard set of disclosure practices for both researchers and software vendors. He argued that despite the problems vulnerability disclosure can sometimes cause for vendors and users, the benefits outweigh the drawbacks for the industry as a whole, and encourages software makers to be more responsive and open with their customers.
"The only problem I really have with the process is the amount of information that is released sometimes," Wysopal said. "In the future I think we may need to come up with some standards for that."
Past efforts to do just that have been largely unsuccessful, in large part because many researchers want the ability to release full details of a flaw if they feel the vendor is not responding quickly enough. Vendors, on the other hand, want nothing released until a patch is ready. In reality, things usually fall somewhere in the vast middle ground between those two extremes.
For some observers, however, that working compromise isn't enough. Lindstrom, for one, believes that researchers are wasting their time finding flaws and that the disclosure of vulnerabilities only serves to make matters worse by alerting attackers to holes they can exploit.
"I don't think the bug finders are terrorists, I think they're Don Quixotes," Lindstrom said. "How do we ever know if we're done? There are always vulnerabilities out there that we don't know about. Disclosure only works if you have a small number of places you have to fix or remediate.
"The bad guys don't have to play by the rules," he added. "What we've got to do is do a better job of challenging our developers to catalog their software and document how it's known to operate."
"When you notify a vendor about one bug, they don't just fix that one. There are second and third order fixes here that are very important," He said. "If you find a SQL injection flaw, you can say, look your product takes input in 50 different places, you should look at all of those too and see if there's a problem."
The disclosure debate may be an exercise in futility soon though, as more and more of the applications that users run are Web-based and not running locally on their machines. That architecture makes it much more difficult for researchers to test applications.
"One of the problems I see is Web 2.0. What does security mean in a world where your software runs on someone else's machine?" Wysopal said. "Legally, I don't think someone can start staging attacks against the Gmail servers. All the testing on those applications has to be black-box testing. So the only people discovering vulnerabilities that way are going to be the bad guys."