[ISN] Flaw finders to software makers: It's payback time

From: InfoSec News (alerts@private)
Date: Thu Aug 17 2006 - 22:36:34 PDT


http://news.com.com/Flaw+finders+to+software+makers+Its+payback+time/2100-1002_3-6106593.html

By Joris Evers
Staff Writer, CNET News.com
August 17, 2006

Bug hunters are turning the tables on software makers in the debate over 
reporting flaws.

In recent years, software companies have hammered out rules with 
researchers on disclosure, which cover how and when vulnerabilities are 
made public. Now flaw finders want something in return: more information 
from software providers on what they are doing to tackle the holes the 
researchers have reported.

"We have gone from the old 'full disclosure' to 'responsible disclosure' 
debate, to a debate over 'The vendor has the information--what does it do 
with it?'" said Steven Lipner, senior director for security engineering 
strategy at Microsoft.

Software vendors need to establish protocols for interacting with 
researchers who share bug information, experts said. If they don't, they 
could risk losing the progress that has been made towards responsible 
disclosure of flaws.

Many bug hunters now understand and follow the "responsible disclosure" 
guidelines advocated by software companies. Under this approach, a 
researcher who uncovers a flaw will, as a first step, contact the maker of 
the affected software and share details of the vulnerability.

In the past, researchers tended to favor full disclosure, in which they 
would publish details of security flaws they had found on mailing lists or 
on security Web sites, regardless of whether a fix was available.

However, companies want to keep bug details under wraps at least until a 
patch is ready. They argue that with a patch, users of the flawed software 
can plug the hole and protect themselves against possible attacks. By 
contrast, with full disclosure vendors are sent scrambling to fix a flaw, 
while customers are exposed.

"The tension has always been the same," said Gartner analyst Paul Proctor, 
who moderated a panel discussion on disclosure at the recent Black Hat 
security conference. "Researchers want the vendors to be more aggressive, 
and the vendors want the researchers to show more discretion. While they 
both have the same goal of a more secure Internet, their perspectives are 
different."


Brick wall

While many researchers now follow responsible disclosure practice, some 
feel that their conscientiousness is not being reciprocated. In many 
cases, the say, they run into a brick wall or get a limited response at 
the software maker, which pays them little respect for their work.

"There is nothing more frustrating then trying to help a vendor secure its 
product in good faith and not getting decent communication back in 
return," said Terri Forslof, security response manager at TippingPoint, 
which sells intrusion prevention systems. Forslof is responsible for 
sharing flaw details with vendors through TippingPoint's Zero Day 
Initiative bug bounty program. Others agree:  Her comments echo the 
sentiments expressed by many researchers at the Black Hat panel 
discussion.

There is a simple recipe for satisfying flaw finders, Forslof said. A 
company should acknowledge the issue; provide ongoing information on the 
status of a fix; and be open with the researcher about the processes 
involved in producing an update.

"An open line of communication is essential," said Michael Sutton, one of 
the Black Hat panelists and director of VeriSign's iDefense, which deals 
with software makers and vulnerability researchers. "It is the vendor's 
responsibility to proactively update the researcher on a regular basis on 
the progress that is being made in patching the issue."

Much progress has been made, and security researchers and software makers 
are working better together today than ever before, said Proctor. However, 
many companies need better processes for dealing with bug hunters, he 
said.

"I would like to see the growth of aggressive, formalized programs to work 
with researchers who find vulnerabilities," Proctor said.

Flaw finders who contact software vendors are typically well-intended 
security professionals, or enthusiasts who like to test the vulnerability 
of software. Several companies, including TippingPoint and iDefense, pay 
researchers for flaws they find and use the information in products to 
protect their clients' systems.


Adverse effect?

But complying with researchers' request for more information is not that 
easy, John Stewart, chief security officer at Cisco Systems, said during 
the Black Hat discussion. Acknowledging a potential flaw might have an 
adverse effect on security, he said.

"We can create undue attention onto something that might hurt our 
customers," Stewart said. "If we know, to the best of our knowledge, that 
there is a weakness in our product, we're attempting not to draw further 
attention to it."

Companies all operate differently when it comes to dealing with bug 
hunters. Microsoft has set a good example, accepting that it needs to work 
with the security community, Proctor said. "Cisco is moving from anger to 
acceptance, and Oracle from denial to anger," he said.

Cisco has worked hard to get into the good graces of the hacker community. 
It threw a party at a Las Vegas nightclub for Black Hat attendees and sent 
senior security staff to the event. That's in contrast to the previous 
year, when the networking giant sued a security researcher and alienated 
itself from the community to the extent that T-shirts with anti-Cisco 
slogans sold well at the Defcon hacker event that follows Black Hat.

Oracle appears to be easing up a little on the security front. Its chief 
security officer is now blogging, and the enterprise software company is 
talking to the press about security topics. However, it is still often 
critiqued for its unwillingness to deal openly with researchers.

Without communication, vendors risk losing the progress made toward 
responsible disclosure. Turned off by a cold response, bug hunters 
increasingly put pressure on software companies and go public with flaws, 
instead of going the responsible route, said Tom Ferris, an independent 
security researcher in Cupertino, Calif.

"I see more researchers not work closely with vendors and just giving them 
a 30-day grace period before going public with the flaws," Ferris said.

Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Thu Aug 17 2006 - 22:50:44 PDT