Re: [ISN] Show us the bugs - users want full disclosure

From: InfoSec News (isnat_private)
Date: Fri Jul 12 2002 - 06:03:30 PDT

Next message: InfoSec News: "[ISN] Pirates of the Web"

Previous message: InfoSec News: "[ISN] Cyberterrorists don't care about your PC"
Maybe in reply to: InfoSec News: "[ISN] Show us the bugs - users want full disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: security curmudgeon <jerichoat_private>
cc: errata submission <errataat_private>, john.leydenat_private

> http://www.theregister.co.uk/content/55/26090.html
> 
> By John Leyden
> Posted: 08/07/2002 at 15:34 GMT
> 
> End-users overwhelmingly support the full disclosure of security
> vulnerabilities, according to a recent survey by analysts Hurwitz
> Group, which demonstrates widespread frustration about vendor
> responsiveness to security issues.
> 
> Based on interviews with more than 300 software security
> professionals, the report shows that end users overwhelmingly
> support full disclosure - announcing security vulnerabilities as
> soon as they are discovered. The end users surveyed for the report
> are clearly angry that vendors are releasing insecure applications,
> and then not responding when flaws are detected, Hurwtiz reports.
> 
> "They see full disclosure in public forums and in the press as the
> only way to force vendors to respond to vulnerabilities caused by
> poorly written and insecure code. In fact, end users overwhelmingly
> support full disclosure even if it means exposing security flaws
> within their organisation that could have a negative impact on their
> company," it writes.

Oh now this is rich. Let's look at this and divulge a little truth
about the survey. The survey that got sent out to 300 "security
professionals"  asked this question of the participants regarding
their role in the company:

Which of the following best describes your function in the organization?
 Executive Management (CxO, VP, Senior Director, etc)
 Senior Management (Director, Manager, etc.)
 Functional (Engineer, Analyst, Administrator, etc.)


This isn't being sent out to 300 "security professionals". This is
being sent out to 300 random IT people that may or may not work in the
security industry, who may or may not manage security people. The fact
that they did not disclose this is reprehensible. Further, to use this
survey without disclosing the participants and conclude "end users
overwhelmingly support full disclosure" is appalling.

This type of report is no better than the recent Alexis de Tocqueville
"study" or the annual CSI/FBI survey. I simply can't believe this got
passed off as 'news'.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Pirates of the Web"
Previous message: InfoSec News: "[ISN] Cyberterrorists don't care about your PC"
Maybe in reply to: InfoSec News: "[ISN] Show us the bugs - users want full disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 09:16:20 PDT