Imagine an outsider comes to your company, trying to tell you what you "must" do.

"Hi, I’ve been doing free work for you. I’m not a customer, nor will I ever be. Please do this. By the way, I’m not paying you to do it."

Any business that hasn’t already faced that strange scenario likely will, according to security researcher Dan Kaminsky. And those businesses won’t be just the big vendors Kaminsky worked with on the Domain Name System flaw. As more businesses use standardized Web software, attackers are more likely to exploit its vulnerabilities unless businesses heed those outside security researchers who come knocking.

When the Domain Name System vulnerability, dubbed "a whopper" by StillSecure's Alan Shimel, was made public in July, part of the story was how Kaminsky quietly worked with multiple vendors for months on a coordinated patch release. That was considered a whopper of a feat in itself.

"One of the key things to realize is that this is a sign that things have changed," IOActive researcher Kaminsky said of his experience with the DNS patches. "This case worked so well only because everyone cooperated. It’s what should happen. … A cooperative relationship between vendors and researchers has been shown to really protect customers."

Now that those patches have been released, perhaps it's time to revisit the often-rocky relationships between independent security researchers and vendors. Those relationships will only grow more important as attacks proliferate and grow more sophisticated.

As IT Business Edge’s Carl Weinshenk reported, the recent X-Force 2008 Midyear Trend statistics suggest that changes are due for the reporting and fixing of bugs.

But those in the trenches say the informal system in place can do the job when all parties act responsibly.

"The system does work. I’ve seen it work very well numerous times," said Terri Forslof, manager of security response for TippingPoint Technologies, which runs the Zero Day Initiative.

Meanwhile, for Adriel Desautels, chief technology officer for Netragard, the problem is that not everyone adheres to responsible and ethical standards for handling vulnerabilities. In other words, it’s a people problem more than a problem with the system.

Independent security researchers often are seen as antagonistic cowboys, while vendors tend to rely on a strategy of, as Kaminsky put it, "deny, deny, delay, delay."

While security researchers want vulnerabilities fixed yesterday, companies need time to develop patches and to do the work right. And they’re concerned that a vulnerability suggests they produce an inferior product.

But Desautels says systems that are secure today might not be secure tomorrow, as new ways are devised to break in. And egos and image aside, all focus between researchers and vendors should be on protecting customers.

No doubt the stakes are escalating. Largely because of standardized Web application software, attacks that in the past could have affected one customer here and there now can take down hundreds of thousands of Web sites at once – often in less than the 24-hour definition of a "zero-day" attack.

More often than not, attackers are out to steal money, but as even systems controlling our infrastructure such as power plants and water systems become threatened, the risk grows that vulnerabilities could kill people. So working together takes on an even greater importance.

Those who have not dealt with a security problem before should seek out other companies that have and talk about it so it’s not so confusing. Know what worked well and what didn’t. "Confusion messes with things more than anything else," Kaminsky said.

Those who have dealt with a security incident no doubt will admit that it could have gone better.

Previous Page Next Page