Re: [ISN] When to Shed Light

From: InfoSec News (isnat_private)
Date: Wed Jun 18 2003 - 00:58:10 PDT

  • Next message: InfoSec News: "RE: [ISN] When to Shed Light"

    Forwarded from: Drew Williams <drew928sat_private>
    
    Although I am not sure what constitutes "recently" by the writer of
    this article, I am sure that the IT security market, as a whole, is
    seeing a glut of business-targeted technology AND consulting firms.
    
    BugTrac and SecurityFocus, for example, are not "recent phenomena" any
    more than the hacker research being done on Apache. My SWAT Team at
    AXENT was doing this sort of work seven years ago.
    
    What I find much more frightening are these start-up development and
    consulting organizations, who land a little venture funding or an
    occasional big account from some former personal relationship, who
    subsequently carry their own banner of "we solve everything" into the
    market place.
    
    I think a problem that's just as prevalent in the IT security space is
    the development of weak technologies, and the so-called "expert white
    hat hacker" teams that are popping up all over the map.
    
    Consumers are getting just as inundated with poor products and advice
    as they are with risks of attacks. Inadvertently, they'll buy what the
    PR firms are selling, rather than what the industry has seen as
    hard-tested over time.
    
    This, I fear, will cause even greater risk to the very IT
    infrastructures these poor buyers are trying to protect. Capitalism
    definitely has its place in the IT security market, but these snake
    oil salesmen who, just because they have a fresh CISSP certification
    and a resume that said "Deloitte Consultant" or "ISS Developer,"
    doesn't qualify them as silver bullet product developers or security
    saviors.
    
    There's a lot of truth to the idea that something that works well
    takes time to develop.
    
    
    --- InfoSec News <isnat_private> wrote:
    > http://www.eweek.com/article2/0,3959,1128749,00.asp
    > 
    > By Dennis Fisher
    > June 16, 2003 
    > 
    > Until recently, software security vulnerabilities were discovered
    > mostly by chance and by developers, security specialists or other
    > professionals. Once the flaw was discovered, news about it spread
    > slowly and typically by word of mouth on bulletin boards or perhaps
    > the occasional security lecture.
    > 
    > The huge network of security researchers - independent or otherwise
    > - who race to find the next big vulnerability in Windows or Apache,
    > for example, is a recent phenomenon.
    > 
    > So, too, are the overlapping and interconnected mailing lists on
    > which the researchers publish their vulnerability bulletins. Lists
    > such as BugTraq and Full Disclosure were founded to give
    > administrators and other IT professionals a place to get early
    > information on developing software problems.
    > 
    > But the amount of publicity and attention security has commanded in
    > recent years has brought new, less experienced and less disciplined
    > people into the security community. This, in turn, has led to
    > vulnerability reports being published before patches are available,
    > bulletins being stolen from researchers' computers and posted
    > without their knowledge, and a litany of other problems.
    > 
    > This chaos has led some in the community to question whether
    > vulnerability research and disclosure, in its current form, does
    > more harm than good. One side of the debate argues that because
    > there is essentially an infinite number of potential vulnerabilities
    > in software, finding and fixing a handful every year has no effect
    > on the overall security landscape. On the other hand, since
    > disclosing a vulnerability to the public means that good guys and
    > bad guys alike get the information, disclosure can actually cause a
    > great deal of damage.
    > 
    > "The point is not to say that these folks don't have the right to
    > disclose anything they want - of course, they do. In fact, we must
    > assume that, in general, people are finding vulnerabilities and not
    > disclosing them and [that] they can be used against us," said Pete
    > Lindstrom, research director at Spire Security LLC, in Malvern, Pa.  
    > "The point is to demonstrate that those folks that say full
    > disclosure is in some way good for us are actually doing more harm
    > than good.  Just think how much better our security might be if the
    > highly skilled people who spend all day, every day, searching for
    > vulnerabilities in software would try to design a security
    > solution."
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 03:12:41 PDT