Software vendor questions disclosure of flaws

In a contentious keynote speech that created an uproar at the Black Hat Briefings conference, security researcher Marcus Ranum charged that the full disclosure of software vulnerabilities isn’t improving computer security. Instead, Ranum said, it only encourages attacks by what he called “armies of script kiddies.”

Many security experts and corporate users say that publicizing flaws will improve security by forcing software vendors to improve the quality of products and to quickly fix potentially damaging bugs – a point that was reiterated by several audience members and speakers at the security conference, held recently in Las Vegas.

But Ranum, CEO of security software vendor Network Flight Recorder Inc. in Rockville, Md., argued that neither of those things is happening. Declaring a “call to arms to change how we perceive security,” Ranum took aim at the practice of posting detailed information about software flaws and security holes on the Internet.

Even with all that information being made available, there hasn’t been an appreciable impact on the turnaround times for fixing bugs, Ranum said. He asked, “If full disclosure is working, why isn’t the state of security improving?”

Ranum claimed that many disclosures of holes are “rock-throwing” incidents done by companies or individuals to attack vendors or for the purposes of self-promotion, financial gain or ego gratification. And, he said, such disclosures give attackers tools that they can use to take down Web sites.

But other attendees at the conference, which was held last month, said they’re sceptical that limiting the disclosure of information would benefit companies.

Mudge, a vice president at Cambridge, Mass.-based security consulting firm @Stake Inc. who goes by only one name, rejected what he called the “metered dissemination of information” about potentially damaging security holes. While the number of exploits by so-called script kiddies and other attackers has increased, widespread publicity about the incidents have helped raise security awareness, he said.

As much vulnerability information as possible should be disclosed in the hopes that responsible users will employ it to protect their companies, Mudge added. “If I took that [information] away from you, you wouldn’t be able to defend your system,” he said.

Others seconded Mudge’s comments. “How do you give information to people [so they can] manage risk without giving it to other people?” asked Eric Pulaski, chairman and chief technology officer at BindView, a Houston-based security consulting firm.