SAN FRANCISCO -- Security researchers are becoming discouraged from reporting vulnerabilities to vendors because the process is too onerous, a panel of security experts said at IT Security World held here this week.
"It is a pain to do the right thing so I think a lot of people just don't bother," said Chris Wysopal, co-founder and chief technology officer of Burlington, Mass.-based security firm Veracode and founder of the Organization for Internet Safety, an industry group that created guidelines for responsible vulnerability disclosure.
"It's just too big of a headache," said Jeremiah Grossman, founder and chief technology officer of Santa Clara, Calif.-based WhiteHat Security. "And the negative media attention really discourages researchers."
Wysopal added that the criminal underground is using software vulnerabilities; if the flaws are reported, they lose value.
Billed as "Security Rock Stars 2007," Tuesday's panel included Nmap security scanner author Fyodor, electrical engineer and hardware hacker Joe Grand, eEye Digital Security Chief Hacking Officer and chief technology officer Marc Maiffret, and Konstantinos Karagiannis, a senior consultant and ethical hacker at IT consulting firm BT INS. Sponsored by MIS Training Institute, IT Security World featured sessions focused on security in healthcare, retail, government and other industry sectors.
Grossman moderated the panel, which discussed their work and addressed a variety of topics including Microsoft Vista, botnets, and vulnerability auctions.
"Vista is truly better than anything they've ever done," said Maiffret, noting improvements Microsoft made to the compiler, which enhanced security. However, by focusing so much on Vista security and Microsoft's Patch Tuesday, people overlook vulnerabilities in third-party applications, he added.
Asked by an audience member about the threat of botnets to the economy and national security, Fyodor cited research by the Honeynet project, of which he is a founding member. That research showed that attackers were aiming to make money rather than do damage on a national scale.
"The [attackers'] motivation has been mostly selfish and going after their own petty crimes," he said.
Auction sites for zero-day flaws, such as WabiSabiLabi, present several sticky issues, panel members said. "The problem is what's a fair amount and what becomes extortion," Maiffret said.
Grand said, "If there's money to be made, there's always going to be people with less ethics."
Panel participants also offered the audience several security tips. Karagiannis, who performs ethical hacks on online banking applications, said he sees a lot of silly mistakes made in Web applications such as faulty features added on at the end of the development process.
"All it takes is one tiny piece to destroy a system," he said.
The panelists also said talked about the importance of user education and not putting full trust in products.
"Don't trust products blindly," Grand said.
Wysopal added that bringing new technology into the home or business invites massive quantities of unknown risk. "Has someone reviewed this code for security? Whenever we're adopting technology, we need to start questioning the people delivering it," he said.