Opinion
The Vulnerability Disclosure Game: Are We More Secure?
Marcus Ranum looks at whether the disclosure process has done any good
By Marcus Ranum
ack at 10 years of what disclosure has brought us, it’s brought us…well, nothing much. Nothing much, that is, except a grey-market economy in exploits, where independent "vulnerability researchers" attempt to cash in by finding new attacks that they can sell to security companies or spyware manufacturers—whichever bids higher. Nothing much unless you count the massive amounts of "free" marketing exposure for companies that trade in exploits. The sad part about it all is that they’ve managed to convince you they’re doing you a favor. It looks like a pretty expensive-looking "favor" to me!
Back when the Internet security bubble started, I offered a litmus test for practitioners. Simply put: You’re either part of the solution, or you’re part of the problem. You’re writing the next firewall or secure application or working to improve some site’s security. Or you’re part of the problem: You’re looking for the next hole in Oracle that’ll get you two minutes on CNN, or you’re getting ready to announce a clever new way rootkits can evade detection from security tools, or you’re devising the next denial-of-service attack, etc. The state of ethics in the computer security industry is pathetic; it’s on par with where medicine was in the 1820s—except that some of the snake-oil salesmen in the 1820s actually believed in their products.
At this point in the history of security, the disclosure economy has been in place long enough that some of the new entrants to the field think that’s the way it’s always been—I’ve run into second-generation "true believers" who really think vulnerability disclosure is all about making software better. Guys, I think it’s time to hang up that ideology; it’s obviously not true. If it was going to help, it would have showed some signs of helping by now. So let’s be frank, shall we? Those of you who are playing the disclosure game are just playing for your two minutes of fame: You’re not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn’t shouting "fire!" in a crowded theater so…um, ’90s? I know that the typical security customer is (to you) an unsophisticated rube, but that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired "chief hacking officer"
Marcus Ranum
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
