 COLUMN
 |
 |
Security Adviser
P.J. Connolly
|
Time to come clean
THE QUESTION of full disclosure continues to nag at the security community, judging from what I read. I've gotten a fair amount of mail on this topic from readers, but the jury's still out on how exactly the disclosure standards should work, and who should enforce them. In other words, the questions circle on the usual ego-political stuff that keeps industry association conventions from being just another excuse to booze it up in a strange town.
Sometimes a useful proposal surfaces, such as the one made recently by Gartner security analyst John Pescatore of "investigate alternatives to IIS (Internet Information Server) and Windows" fame. In his statement, Pescatore demolishes the idea that security is improved by withholding the details behind exploits of software vulnerabilities. He points out that the practice of "security through obscurity" became obsolete with the rise of the Internet during the past decade, and claims that most security breaches occur after a patch is released, not because exploit details leaked before it shipped.
He goes on to suggest that vendors be given two weeks to respond to a vulnerability by preparing a patch or work-around, with perhaps another two weeks for regression testing of a patch. The final line of his analysis made me cackle: "Any software vendor that cannot respond in this time frame should not, in Gartner's opinion, sell software that will be exposed to the Internet." Amen to that.
But the question, "How we enforce this?" remains. My personal favorite: the discipline of the market. If customers vote with their pocketbooks -- or more accurately, with their purchase orders -- for software from vendors that adhere to a two-week or three-week standard, keeping mum will actually hurt a product's sales.
But, being the social animals we are, it's likely that one industry association or another will lead the drive for a two-week disclosure standard. This will undoubtedly ensure the ultimate toothlessness of any enforcement program, in which event it's back to Plan A: enforcing discipline with our purchases. Granted, a need exists for a group dedicated to kicking vendor butt. For six figures, I'd be happy to lead such an organization, but I'm not sure if I can come up with an acronym in time to make this column's deadline.
Of course, in the interest of fairness I have to mention that Novell would be in big trouble with my proposed rump-roasting association, having waited more than three months to come forward with details of the "catastrophic" security flaw in certain versions of the GroupWise messaging platform. It appears that in particular communication modes, a protocol analyzer would capture clear-text ID and password information, allowing unauthorized access to that individual mailbox. This is embarrassing, but it is not the kind of systemwide hole that justifies 100-day wait for exploit details. I'm not sure what could.
P.J. Connolly (pj_connolly@infoworld.com) covers security for the InfoWorld Test Center. Get this column free via e-mail each week. Sign up at www.iwsubscribe.com/newsletters .
RELATED SUBJECTS
 Security
MORE >
SPONSORED WHITE PAPERS
EMC
- Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust
- Are you ready for Sobig.G? Learn how to protect your email systems.
CDW
- Personal attention. CDW. The Right Technology. Right Away.
EMC
- Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel
- Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco
- FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc.
- "Mass Consolidation Hits the Web-Search Market"
McDATA
- Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies
- Overcoming Common Firewall Limitations
Lucent Technologies
- Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia
- Get the scoop! Mobilizing business white papers & case studies.
BMC Software
- Maximize the Potential of Enterprise Data: Free white paper!
Network Associates
- Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust
- Manage identities across applications. Improve productivity.
Stalker Software
- CommuniGate Pro - Transform your Email and Calendaring
Remedy
- A NEW Gartner Research Note:Producing Quality IT Services
Search the IDG White Paper Library:
|
SPONSORED LINKS
|
