Article

RSA Conference: Middle ground hard to find in vulnerability disclosure debate

Dennis Fisher

SAN FRANCISCO -- The long-standing debate over vulnerability disclosure practices is still raging among industry insiders, with little indication that a resolution is coming soon.

    Requires Free Membership to View

RSA Conference 2007

Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
At RSA Conference 2007 Wednesday, a panel discussion on the topic illustrated just how deep the divide is in some circles. Chris Wysopal, a well-known security researcher and CTO of Burlington, Mass.-based Veracode Inc., Pete Lindstrom, senior analyst at Midvale, Utah-based Burton Group, and Stephen Wu, an attorney with San Francisco-based Cooke Kobrick & Wu LLP, looked at the issue of when to disclose vulnerability information, and how much to publish. In the end, despite looking at the issue from a number of different angles, the panelists agreed on almost nothing.

Wysopal has been involved in responsible disclosure efforts for several years and has advocated the adoption of a standard set of disclosure practices for both researchers and software vendors. He argued that despite the problems vulnerability disclosure can sometimes cause for vendors and users, the benefits outweigh the drawbacks for the industry as a whole, and encourages software makers to be more responsive and open with their customers.

"The only problem I really have with the process is the amount of information that is released sometimes," Wysopal said. "In the future I think we may need to come up with some standards for that."

Past efforts to do just that have been largely unsuccessful, in large part because many researchers want the ability to release full details of a flaw if they feel the vendor is not responding quickly enough. Vendors, on the other hand, want nothing released until a patch is ready. In reality, things usually fall somewhere in the vast middle ground between those two extremes.

For some observers, however, that working compromise isn't enough. Lindstrom, for one, believes that researchers are wasting their time finding flaws and that the disclosure of vulnerabilities only serves to make matters worse by alerting attackers to holes they can exploit.

"I don't think the bug finders are terrorists, I think they're Don Quixotes," Lindstrom said. "How do we ever know if we're done? There are always vulnerabilities out there that we don't know about. Disclosure only works if you have a small number of places you have to fix or remediate.

"The bad guys don't have to play by the rules," he added. "What we've got to do is do a better job of challenging our developers to catalog their software and document how it's known to operate."

"One of the problems I see is Web 2.0. What does security mean in a world where your software runs on someone else's machine?"
Chris Wysopal,
security researcher and CTO of Burlington, Mass.-based Veracode Inc.
However, Wysopal said that when a researcher notifies a vendor of a flaw, it often leads to the discovery of multiple similar vulnerabilities that they might not have found otherwise.

"When you notify a vendor about one bug, they don't just fix that one. There are second and third order fixes here that are very important," He said. "If you find a SQL injection flaw, you can say, look your product takes input in 50 different places, you should look at all of those too and see if there's a problem."

The disclosure debate may be an exercise in futility soon though, as more and more of the applications that users run are Web-based and not running locally on their machines. That architecture makes it much more difficult for researchers to test applications.

"One of the problems I see is Web 2.0. What does security mean in a world where your software runs on someone else's machine?" Wysopal said. "Legally, I don't think someone can start staging attacks against the Gmail servers. All the testing on those applications has to be black-box testing. So the only people discovering vulnerabilities that way are going to be the bad guys."

<< Return to our special coverage of RSA Conference 2007


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: