Software vendor questions disclosure of flaws

In a contentious keynote speech that created an uproar at the Black Hat Briefings conference, security researcher Marcus Ranum charged that the full disclosure of software vulnerabilities isn’t improving computer security. Instead, Ranum said, it only encourages attacks by what he called “armies of script kiddies.”

Many security experts and corporate users say that publicizing flaws will improve security by forcing software vendors to improve the quality of products and to quickly fix potentially damaging bugs – a point that was reiterated by several audience members and speakers at the security conference, held recently in Las Vegas.

But Ranum, CEO of security software vendor Network Flight Recorder Inc. in Rockville, Md., argued that neither of those things is happening. Declaring a “call to arms to change how we perceive security,” Ranum took aim at the practice of posting detailed information about software flaws and security holes on the Internet.

Even with all that information being made available, there hasn’t been an appreciable impact on the turnaround times for fixing bugs, Ranum said. He asked, “If full disclosure is working, why isn’t the state of security improving?”

Ranum claimed that many disclosures of holes are “rock-throwing” incidents done by companies or individuals to attack vendors or for the purposes of self-promotion, financial gain or ego gratification. And, he said, such disclosures give attackers tools that they can use to take down Web sites.

But other attendees at the conference, which was held last month, said they’re sceptical that limiting the disclosure of information would benefit companies.

Mudge, a vice president at Cambridge, Mass.-based security consulting firm @Stake Inc. who goes by only one name, rejected what he called the “metered dissemination of information” about potentially damaging security holes. While the number of exploits by so-called script kiddies and other attackers has increased, widespread publicity about the incidents have helped raise security awareness, he said.

As much vulnerability information as possible should be disclosed in the hopes that responsible users will employ it to protect their companies, Mudge added. “If I took that [information] away from you, you wouldn’t be able to defend your system,” he said.

Others seconded Mudge’s comments. “How do you give information to people [so they can] manage risk without giving it to other people?” asked Eric Pulaski, chairman and chief technology officer at BindView, a Houston-based security consulting firm.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now