Last month, Richard Clarke, President Bush's cybersecurity czar, raised a few eyebrows when he said software vendors...
shouldn't be expected to find all the vulnerabilities in their offerings.
Clarke's comments from the Black Hat Briefings conference raised an interesting point. If software companies can't find all of their own vulnerabilities, who should? Hackers? The government?
"We poor sods (should)-- most likely after seeing some hacker poking through our networks," said Dale Jackaman, director of information technology systems at Vancouver, British Columbia-based BC Research Inc.
Actually, Jackaman was in essence making the same point as Clarke. Namely, security professionals need to help find flaws in software and then responsibly report them. They should first tell the vendors of any problems. If action isn't taken, then the finders should bring their discoveries to the government, Clarke said.
It's probably unrealistic to expect software vendors to find all their own vulnerabilities, agrees Robert Lonadier, president of Boston-based analyst firm RCL & Associates. In fact, the present system relies on security professionals and others to help find vulnerabilities. "As long as there exists a caveat emptor [buyer beware] attitude and legal protection for commercial software companies selling insecure software," he said, "little can change [in terms of vendors producing more secure software]."
A related, perhaps more important question raised by Clarke's remarks, is why there are so many vulnerabilities in the first place. SearchSecurity members had varying thoughts on this question.
Some felt that the government should play a more active role, even if its only way of doing so is by cajoling vendors into making more secure products. Most, however, acknowledged that vulnerabilities go hand-in-hand with software development. The real issue is how vendors handle vulnerabilities.
Low profit margins often result in poor reviews for a product, said Glenn R. Williamson of Fujitsu Consulting in Ottawa. " If companies had to hold software 'til all potential vulnerabilities were discovered, they would quickly go out of business."
Another consideration is the growing complexity of software. As companies add new features to products, the chance that vulnerabilities are created increases. In turn, the sea of additional code can make flaws harder to find.
Slowing development cycles may allow more time for testing and better coding, but is it practical? Probably not, said Andrew Moffat, CEO of Ottawa-based Educom TS, a software developer specializing in e-mail management. His company is working to improve the development and quality assurance process so that secure software can be produced in a timely manner.
Vendors need to do a better job responding to problems, Moffat said. "The real problem is that many vendors disappear once the sale is complete -- especially if they only have a single product and they have VCs or shareholders pushing for the bottom line," he said.
"[Customers] want someone to care that they are having a problem. They want someone to share the pain," he said.
Echoing those sentiments, James Brennan, enterprise consultant with recruitment and outsourcing company Spherion Technology, said: "A lot of software vendors seem to bury their head in the sand about vulnerabilities and continue developing the next version of their product."
Yet software users still have a responsibility to respond when vulnerabilities turn up.
Remember the fact that end-user companies knew in advance about most of the recent major exploits but neglected to plug the holes, said analyst Lonadier, citing the Code Red and Nimda worm cases.
"We can't cure the illness if the patient won't take its medicine," he said.