Software // Enterprise Applications
News
6/5/2007
03:31 PM
Connect Directly
RSS
E-Mail
50%
50%

Who's To Blame For Insecure Software? Maybe You

Some 57% of those attending the Gartner IT security summit keynote session believe that vulnerability labs set up by security researchers are a useful public service.

The recent observation that companies buying software are unaware of 95% of the bugs contained therein places the well-worn argument about the value of security vulnerability research in a new light. Are security researchers, who spend much of their time finding flaws in others' programming efforts and are often the bane of software vendors, doing enough? And do software consumers escape blame for shoddy products put on the market?

Attendees at the Gartner IT security summit keynote session Tuesday responded to an instant poll indicating that most of them, 57% of the 340 people present, believe that vulnerability labs set up by security researchers are a useful public service, while 22%, or 75 people, think they're a distraction that forces them to patch more often.

Yet there's not consensus on how much information to disclose or when to disclose it. The discovery of a security vulnerability in a piece of software is in many ways like seeing that the front door to your neighbor's house has been left open, David Maynor, chief technology officer of Errata Security, said Tuesday. The options are calling the neighbor right away and alerting them to the open door, inspecting the neighbor's house (helping yourself to some of their food and trying on their clothes in the process) before calling them, or calling all of the other neighbors on the block to tell them about the neighbor's open door. An even more nefarious option is to close the neighbor's door but leave it unlocked so that the house can be entered some time in the future. In software terms, that pretty much sums up the spectrum that includes discrete disclosure of software vulnerabilities to the software's maker, full disclosure of the vulnerabilities to the public Internet, and no disclosure at all.

Different researchers take a different approach. Maynor, for example, says he gives the software vendor a month to fix its software vulnerability before he reports the flaw publicly. "We'll give you 30 days to fix a bug, that's it," he said. Thomas Ptacek, the principal of Matasano Security and a member of the Tuesday morning keynote panel, said he's willing to wait until the software maker makes its own decision to publicly disclose a vulnerability before he publishes his report.

One sentiment that's been floated is for software vendors, or internal software developers, to be held liable for flaws in their products that lead to intrusions into their customers' -- or their own -- networks and breaches of data found there. The concept of spending the time and money to write secure programs is a difficult one for company executives on the business side to accept, as it means possibly extending deadlines for deployment, lowering margins on products, or passing along the higher costs to customers. But it's worth it for companies to consider paying extra attention to the security of the programs they write, when you consider the cost of fixing a bug once an application is shipped and in use can be up to 100 times more expensive than identifying the problem during the development phase, Chris Wysopal, chief technology officer for Veracode and the third member of the Tuesday morning keynote panel, said.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.