Bug hunters turn the tables on software makers.In recent years, software companies have hammered out rules on disclosure, which cover how and when vulnerabilities are made public. Now flaw finders want something in return: more information from software providers on what they are doing to tackle the holes the researchers have reported. "We have gone from the old 'full disclosure' to 'responsible disclosure' debate, to a debate over 'The vendor has the information--what does it do with it?'" said Steven Lipner, senior director for security engineering strategy at Microsoft. Software vendors need to establish protocols for interacting with researchers who share bug information, experts said. If they don't, they could risk losing the progress that has been made towards responsible disclosure of flaws. Many bug hunters now understand and follow the "responsible disclosure" guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. advocated by software companies. Under this approach, a researcher who uncovers a flaw will, as a first step, contact the maker of the affected software and share details of the vulnerability. In the past, researchers tended to favor full disclosure, in which they would publish details of security flaws they had found on mailing lists An automated e-mail system on the Internet, which is maintained by subject matter. There are thousands of such lists that reach millions of individuals and businesses. New users generally subscribe by sending an e-mail with the word "subscribe" in it and subsequently receive all new or on security Web sites, regardless of whether a fix was available. "Researchers want the vendors to be more aggressive, and the vendors want the researchers to show more discretion" says Gartner analyst Paul Proctor Paul Proctor is an editorial columnist who identifies himself as a "rural resident of the Volunteer State" residing somewhere near Nashville, Tennessee. His columns, under the heading "Biblically Speaking", are published at NewsWithViews. . However, companies want to keep bug details under wraps at least until a patch is ready. They argue that with a patch, users of the flawed flaw 1 n. 1. An imperfection, often concealed, that impairs soundness: a flaw in the crystal that caused it to shatter. See Synonyms at blemish. 2. software can plug the hole and protect themselves against possible attacks. By contrast, with full disclosure vendors are sent scrambling to fix a flaw while customers are exposed. "The tension has always been the same," he added, who moderated a panel discussion on disclosure at the recent Black Hat security conference. "Researchers want the vendors to be more aggressive, and the vendors want the researchers to show more discretion. While they both have the same goal of a more secure Internet, their perspectives are different." Brick wall While many researchers now follow responsible disclosure practice, some feel that their conscientiousness con·sci·en·tious adj. 1. Guided by or in accordance with the dictates of conscience; principled: a conscientious decision to speak out about injustice. 2. is not being reciprocated. In many cases, the say, they run into a brick wall or get a limited response at the software maker, which pays them little respect for their work. "There is nothing more frustrating frus·trate tr.v. frus·trat·ed, frus·trat·ing, frus·trates 1. a. To prevent from accomplishing a purpose or fulfilling a desire; thwart: then trying to help a vendor secure its product in good faith and not getting decent communication back in return," said Terri Forslof, security response manager at TippingPoint, which sells intrusion prevention See IPS and IDS. systems. Forslof is responsible for sharing flaw details with vendors through TippingPoint's Zero Day Initiative bug bounty bounty, payment made by a government bounty, amount paid by a government for the achievement of certain economic or other goals. It often takes the form of a premium paid for the increased production or export of certain goods. program. Others agree: Her comments echo the sentiments expressed by many researchers at the Black Hat panel discussion. "An open line of communication is essential." Michael Sutton Michael Sutton (born June 18, 1970, Los Angeles, California) is an American actor who is best known for playing the HIV-positive Stone Cates on the long running daytime serial General Hospital. He was nominated for two Emmy Awards in 1995 and in 1996 for that role. , director, VeriSign's iDefense commented. There is a simple recipe for satisfying flaw finders, Forslof said. A company should acknowledge the issue; provide ongoing information on the status of a fix; and be open with the researcher about the processes involved in producing an update. "An open line of communication is essential," said Michael Sutton, one of the Black Hat panelists and director of VeriSign's iDefense, which deals with software makers and vulnerability researchers. "It is the vendor's responsibility to proactively update the researcher on a regular basis on the progress that is being made in patching the issue." Much progress has been made, and security researchers and software makers are working better together today than ever before, said Proctor A person appointed to manage the affairs of another or to represent another in a judgment. In English Law, the name formerly given to practitioners in ecclesiastical and admiralty . However, many companies need better processes for dealing with bug hunters, he added. "I would like to see the growth of aggressive, formalized for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. programs to work with researchers who find vulnerabilities," Proctor said. Flaw finders who contact software vendors are typically well-intended security professionals, or enthusiasts who like to test the vulnerability of software. Several companies, including TippingPoint and iDefense, pay researchers for flaws they find and use the information in products to protect their clients' systems. Adverse effect? But complying with researchers' request for more information is not that easy, said Cisc Systems during the Black Hat discussion. Acknowledging a potential flaw might have an adverse effect on security, he said. "We can create undue attention onto something that might hurt our customers," Stewart said. "If we know, to the best of our knowledge, that there is a weakness in our product, we're attempting not to draw further attention to it." Companies all operate differently when it comes to dealing with bug hunters. Microsoft has set a good example, accepting that it needs to work with the security community, Proctor said. "Cisco is moving from anger to acceptance, and Oracle from denial to anger," he said. Cisco has worked hard to get into the good graces of the hackers community. It threw a party at a Las Vegas Las Vegas (läs vā`gəs), city (1990 pop. 258,295), seat of Clark co., S Nev.; inc. 1911. It is the largest city in Nevada and the center of one of the fastest-growing urban areas in the United States. nightclub for Black Hat attendees and sent senior security staff to the event. That's in contrast to the previous year, when the network giant sued a security researcher and alienated al·ien·ate tr.v. al·ien·at·ed, al·ien·at·ing, al·ien·ates 1. To cause to become unfriendly or hostile; estrange: alienate a friend; alienate potential supporters by taking extreme positions. itself from the community to the extent that T-shirts with anti-Cisco slogans sold well at the Defcon hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. event that follows Black Hat. Oracle appears to be easing up a little on the security front. Its chief security officer is now blogging, and the enterprise software company is talking to Noun 1. talking to - a lengthy rebuke; "a good lecture was my father's idea of discipline"; "the teacher gave him a talking to" lecture, speech rebuke, reprehension, reprimand, reproof, reproval - an act or expression of criticism and censure; "he had to the press about security topics. However, it is still often critiqued for its unwillingness to deal openly with researchers. Without communication, vendors risk losing the progress made toward responsible disclosure. Turned off by a cold response, bug hunters increasingly put pressure on software companies and go public with flaws, instead of going the responsible route. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion