Chris Hoff at Rational Security has an interesting post up today on the problems that researchers face when looking for vulnerabilities in Web-based applications. The basic problem boils down to this: Web applications run on remote servers, not on the researcher’s machine, which means any misuse of those applications can be viewed as an attack, regardless of the researcher’s intent. This can be problematic if you make your living looking for vulnerabilities in Web applications. The folks at CSI have put together a working group to discuss this issue and the group plans to issue its findings this week at the CSI NetSec conference.
The general feeling among researchers who spend a lot of time doing this kind of work seems to be to err on the side of caution. I’ve spoken with a lot of researchers on this topic lately, and several of them have said they won’t touch Web applications at all. Billy Hoffman, a researcher at SPI Dynamics who specializes in Web apps, told me he’s constantly thinking about the consequences of each move he makes. And Ivan Arce, CTO at Core Security, went a step further, saying his company stays away from Web apps altogether, unless they’re specifically asked to look at one. In the current legal climate, this seems like the sensible approach, and it’s hard to blame the researchers for taking the cautious approach.
The question is, how will this affect the security of Web applications in the long run? Dave Goldsmith at Matasano gives us a preview of what it’s like to report flaws in this atmosphere:
Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.
Thanks for the tip, David. It’s been noted.
Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?
Hi David,We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.
How will I know when this vulnerability is fixed?
Actually, they don’t reply at all.
Until someone finds a way to write flawless code, we’re going to need the services of vulnerability assessment companies, researchers and code-auditing tools. But if researchers have to look over their shoulders at every turn and wonder whether the FBI is about to kick in the door, it’s going to make their jobs a lot tougher.