IT has had its fill of buggy software, and it's not going to wait 30 days any more to disclose what it knows.
At least, that's the overwhelming majority of the reaction from SearchSecurity users who recently commented on the full disclosure debate.
Close to two months ago, bug finder David Litchfield, who has a history of scrounging up buffer overflows in Microsoft, Oracle and Lotus software, said he had tired of lagging vendor response to his findings. No longer would he wait 30 days to disclose his discoveries, as the commonly accepted industry protocol suggests. Instead, he announced that he's giving vendors one week before he lets the world know about a software flub via his Vendor Notification Alert. Litchfield conceded he would not publicize details on any vulnerability, but that he would make the flub public along with any workarounds.
SearchSecurity users responded to the firestorm with rousing support.
"I wouldn't even wait a week. There is no excuse for releasing bad code in the first place. If they had done the job right and had included security in the process from the beginning, there would be a lot fewer bugs to disclose," said Carrie L. Barrett, a developer with Delphi Corp., a Michigan-based mobile electronics and transportation components and system technology developer. "As a security developer, it is extremely frustrating. I have been fighting with developers for a long time over just this issue. My bottom line? Blow the whistle without waiting."
The other side of this debate, however, suggest that immediate disclosure of vulnerability details only arms crackers waiting to steal corporate assets or damage reputations.
"I think Mr. Litchfield's approach shows a lot of immaturity. I believe that companies should be given as much time as needed to issue a patch," said David A. Jacot. "Some security patches take more than a week just to fix, and I've even seen a programmer go in and fix a security problem only to find other issues which take time to solve."
Vulnerabilities cost enterprises worldwide billions of dollars. Nimda and Code Red, which exploited holes in Microsoft Internet Information Server (IIS) software, resulted in $2.4 billion in losses.
"As long as vendors continue to act as if the problem isn't the security hole, but our knowing about the security hole, full public disclosure is the only protection the rest of us have," said Todd Knarr, a software developer. "If customers don't know about the holes, they can't put pressure on the vendors to fix them. No pressure means the vendor has no incentive. If the vendor won't take the initiative, full disclosure is the only way the customers find out they need to turn up the heat on the vendor."
Analyst firm Hurwitz Group recently tackled the issue in a survey of its clients, many of whom (44%) said that full disclosure is the only way to force companies into writing secure code. Sixty-seven percent said that immediate disclosure or less than a week is a reasonable amount of time from discovery to disclosure. Senior management members who responded, however, said that disclosure only serves to arm crackers trying to break into their systems to steal data.
Some SearchSecurity users may be willing to take that risk.
"Though I do agree that this could give hackers some early information that could lead to potential damage, I feel that in the long run the IT industry would be much better off by finally forcing software vendors to produce safer and more efficient products," said Nicholas Dippold, an administrator with RKA Petroleum of Romulus, Michigan. "It would be nice to actually purchase a product that lives up to it's expectations and offers the end user piece of mind that the product of choice will be safe right out of the box."
Vendors, SearchSecurity users said, are driven by the need to rush products out the door and often get to fixes in subsequent versions.
"It seems too many software vendors are so consumed by the all-mighty dollar that they are flooding the market with 'buggy' software by the droves and getting away with it! In my industry as well as most, if I put a product on the market that is shoddy at best, I'm going to take a tremendous hit for it," Dippold said. "However it seems our software friends live by a different set of rules, and as an admin, I for one am tired of taking the hits for the vendors mistakes!"
Some users compare software vendors to government when it comes to vulnerable products.
"Unless a company faces a major incident, there will be no impetus for security," said a SearchSecurity member who identified themselves as HC. "Vendors are not inclined to commit resources to clean up a mess in their code/products unless the threat is very, very real."