Information Security News mailing list archives
Re: When to Shed Light
From: InfoSec News <isn () c4i org>
Date: Wed, 18 Jun 2003 02:58:10 -0500 (CDT)
Forwarded from: Drew Williams <drew928s () yahoo com> Although I am not sure what constitutes "recently" by the writer of this article, I am sure that the IT security market, as a whole, is seeing a glut of business-targeted technology AND consulting firms. BugTrac and SecurityFocus, for example, are not "recent phenomena" any more than the hacker research being done on Apache. My SWAT Team at AXENT was doing this sort of work seven years ago. What I find much more frightening are these start-up development and consulting organizations, who land a little venture funding or an occasional big account from some former personal relationship, who subsequently carry their own banner of "we solve everything" into the market place. I think a problem that's just as prevalent in the IT security space is the development of weak technologies, and the so-called "expert white hat hacker" teams that are popping up all over the map. Consumers are getting just as inundated with poor products and advice as they are with risks of attacks. Inadvertently, they'll buy what the PR firms are selling, rather than what the industry has seen as hard-tested over time. This, I fear, will cause even greater risk to the very IT infrastructures these poor buyers are trying to protect. Capitalism definitely has its place in the IT security market, but these snake oil salesmen who, just because they have a fresh CISSP certification and a resume that said "Deloitte Consultant" or "ISS Developer," doesn't qualify them as silver bullet product developers or security saviors. There's a lot of truth to the idea that something that works well takes time to develop. --- InfoSec News <isn () c4i org> wrote:
http://www.eweek.com/article2/0,3959,1128749,00.asp By Dennis Fisher June 16, 2003 Until recently, software security vulnerabilities were discovered mostly by chance and by developers, security specialists or other professionals. Once the flaw was discovered, news about it spread slowly and typically by word of mouth on bulletin boards or perhaps the occasional security lecture. The huge network of security researchers - independent or otherwise - who race to find the next big vulnerability in Windows or Apache, for example, is a recent phenomenon. So, too, are the overlapping and interconnected mailing lists on which the researchers publish their vulnerability bulletins. Lists such as BugTraq and Full Disclosure were founded to give administrators and other IT professionals a place to get early information on developing software problems. But the amount of publicity and attention security has commanded in recent years has brought new, less experienced and less disciplined people into the security community. This, in turn, has led to vulnerability reports being published before patches are available, bulletins being stolen from researchers' computers and posted without their knowledge, and a litany of other problems. This chaos has led some in the community to question whether vulnerability research and disclosure, in its current form, does more harm than good. One side of the debate argues that because there is essentially an infinite number of potential vulnerabilities in software, finding and fixing a handful every year has no effect on the overall security landscape. On the other hand, since disclosing a vulnerability to the public means that good guys and bad guys alike get the information, disclosure can actually cause a great deal of damage. "The point is not to say that these folks don't have the right to disclose anything they want - of course, they do. In fact, we must assume that, in general, people are finding vulnerabilities and not disclosing them and [that] they can be used against us," said Pete Lindstrom, research director at Spire Security LLC, in Malvern, Pa. "The point is to demonstrate that those folks that say full disclosure is in some way good for us are actually doing more harm than good. Just think how much better our security might be if the highly skilled people who spend all day, every day, searching for vulnerabilities in software would try to design a security solution."
[...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- When to Shed Light InfoSec News (Jun 17)
- <Possible follow-ups>
- RE: When to Shed Light InfoSec News (Jun 18)
- Re: When to Shed Light InfoSec News (Jun 18)
- RE: When to Shed Light InfoSec News (Jun 19)