Re: When to Shed Light

[InfoSec News <isn () c4i org>]

Forwarded from: Drew Williams <drew928s () yahoo com>

Although I am not sure what constitutes "recently" by the writer of
this article, I am sure that the IT security market, as a whole, is
seeing a glut of business-targeted technology AND consulting firms.

BugTrac and SecurityFocus, for example, are not "recent phenomena" any
more than the hacker research being done on Apache. My SWAT Team at
AXENT was doing this sort of work seven years ago.

What I find much more frightening are these start-up development and
consulting organizations, who land a little venture funding or an
occasional big account from some former personal relationship, who
subsequently carry their own banner of "we solve everything" into the
market place.

I think a problem that's just as prevalent in the IT security space is
the development of weak technologies, and the so-called "expert white
hat hacker" teams that are popping up all over the map.

Consumers are getting just as inundated with poor products and advice
as they are with risks of attacks. Inadvertently, they'll buy what the
PR firms are selling, rather than what the industry has seen as
hard-tested over time.

This, I fear, will cause even greater risk to the very IT
infrastructures these poor buyers are trying to protect. Capitalism
definitely has its place in the IT security market, but these snake
oil salesmen who, just because they have a fresh CISSP certification
and a resume that said "Deloitte Consultant" or "ISS Developer,"
doesn't qualify them as silver bullet product developers or security
saviors.

There's a lot of truth to the idea that something that works well
takes time to develop.


--- InfoSec News <isn () c4i org> wrote:
> http://www.eweek.com/article2/0,3959,1128749,00.asp
>
> By Dennis Fisher
> June 16, 2003 
>
> Until recently, software security vulnerabilities were discovered
> mostly by chance and by developers, security specialists or other
> professionals. Once the flaw was discovered, news about it spread
> slowly and typically by word of mouth on bulletin boards or perhaps
> the occasional security lecture.
>
> The huge network of security researchers - independent or otherwise
> - who race to find the next big vulnerability in Windows or Apache,
> for example, is a recent phenomenon.
>
> So, too, are the overlapping and interconnected mailing lists on
> which the researchers publish their vulnerability bulletins. Lists
> such as BugTraq and Full Disclosure were founded to give
> administrators and other IT professionals a place to get early
> information on developing software problems.
>
> But the amount of publicity and attention security has commanded in
> recent years has brought new, less experienced and less disciplined
> people into the security community. This, in turn, has led to
> vulnerability reports being published before patches are available,
> bulletins being stolen from researchers' computers and posted
> without their knowledge, and a litany of other problems.
>
> This chaos has led some in the community to question whether
> vulnerability research and disclosure, in its current form, does
> more harm than good. One side of the debate argues that because
> there is essentially an infinite number of potential vulnerabilities
> in software, finding and fixing a handful every year has no effect
> on the overall security landscape. On the other hand, since
> disclosing a vulnerability to the public means that good guys and
> bad guys alike get the information, disclosure can actually cause a
> great deal of damage.
>
> "The point is not to say that these folks don't have the right to
> disclose anything they want - of course, they do. In fact, we must
> assume that, in general, people are finding vulnerabilities and not
> disclosing them and [that] they can be used against us," said Pete
> Lindstrom, research director at Spire Security LLC, in Malvern, Pa.  
> "The point is to demonstrate that those folks that say full
> disclosure is in some way good for us are actually doing more harm
> than good.  Just think how much better our security might be if the
> highly skilled people who spend all day, every day, searching for
> vulnerabilities in software would try to design a security
> solution."

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.