RE: Informing Companies about security vulnerabilities...

["Arian J. Evans" <arian.evans () anachronic com>]

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Steve Friedl
>
> [ snip: security problems found, letters ignored ]
>
> > Has anyone else gone through a similar situation?
>
> The rough breakdown over several years was something like:
>
>       80% - got no reply, didn't fix the problem
>       10% - received thank you, fixed the problem
>        5% - received thank you, but didn't fix the problem
>        5% - received hostile reply

Steve summed this up nicely, but I have to say, with small
ISV's the hostility factor is around 50% in my case. I have
yet to test a document management system that isn't riddled
with holes, simply ridiculous, and two of the worst I've
seen actually *MARKET* their product as "secure" and tout
features that simply do not exist, and threaten you about
any discussion of the issues.

Unfortunately, certain client verticals (like law firms)
are really against disclosure, and since they are my client
I march to their beat, so I have a long list of things
that are not fixed that will never be discussed, and the
issues are actively perpetuated by dishonest vendors.

As for the good Samaritan thing, Papa John's cured me of
that years ago, and every now and then I get forgetful
and send a good Samaritan letter and get smacked again,
reminding me that it is dangerous and unbeneficial.

//In summary, it's a waste of time IMO.//

In related news -- I am seeing more and more ISV's and
organizations market "security" as a feature, when they
simply don't have it. Some of the worst products I have
tested are the ones that market the most dishonestly.

(By "simply don't have" I mean advertise your bullet
proof user controls, and have trivially broken access
controls, or advertise .NET security features and then
go turn them all off in your shipping product resulting
in SQL injection, trivial XSS, things that you have to
work extra hard to make happen in that framework)

Anyone else find this appalling? Anyone have any idea
what to do about it? Consumers are getting completely
hosed on this, with no idea there's an issue.

I mean, if I did that with a car, e.g.-"has seat belts
and air bags" and it turns out that it doesn't, I'd face
massive repercussions, possibly go to jail...

Luckily a bad DMS can't kill you yet, just possibly cost
you millions of dollars when your key litigation
documentation gets in the opposing counsels' hands.

Ideas?

-ae







------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------