RSA 2014: The "double-edged sword" of disclosing software vulnerabilities

News by Doug Drinkwater

An interesting discussion at the RSA conference revealed that vendors often face a "double-edged sword" when tasked with disclosing software vulnerabilities.

Also in:

A panel comprising Nadya Bartol - senior cyber-security strategist at the Utilities Telecom Council, Eric Baize - senior director of the product security office at EMC Corp, Microsoft's partner director of software security Stephen Lipner and Veracode co-founder and CTO Chris Wysopal, tackled the issue of software vulnerabilities at the RSA Conference in San Francisco on Tuesday.

The conversation - entitled “Evaluating the security of purchased software: can we find common ground?” - centred on how security can be measured internally and externally in software products, and to what degree vendors must divulge information when they find vulnerabilities within their own products.

The experts talked through issues like auditing, testing and how reliable these measures are when trying to ascertain how secure these software products are.

But one particular sticking point in the debate appeared to be the willingness of IT vendors to share information, when they've discovered new details on vulnerabilities, such as SQL injection, buffer overflows or cross-site scripting.

EMC'S Eric Baize admitted that while the computer storage firm does shares data internally about new and existing software vulnerabilities, doing that in the outside world is not so easy.

“I think it's important to think about internal and external measures, and what you can share with the customer. Internally, it's a secure environment but sharing [outside] can create new risks,” he told conference attendees.

Baize continued that some customers ask for the source code to spot the issues for themselves but doubted how reliable this information really is. “Customers are asking for the source code, but it's not a secure way to find vulnerabilities and other issues.”

Microsoft's Stephen Lipner concurred with Baize that reporting issues has its drawbacks, and admitted that the firm's own Patch Tuesday – while celebrated in the information security community for highlighting and addressing Windows flaws - is far from perfect.

“Externally, there are concerns about the things you can and can't share. I wouldn't care to open up [inside information] to the world because that says a lot about what vulnerabilities are left, and where the weak spots are. It's a problem,” he said.

Bartol and Baize argued that it's a case of educating users on what they can rightly ask for, and on developers of building quality and secure software.

Bartol added that this is likely to be an increasing concern as the Internet of Things, which is largely being pushed by hardware vendors with no experience of patching, takes hold, while Veracode's Chris Wysopal expressed concern that smaller software vendors may struggle to reach certain testing standards for disclosing vulnerabilities and flaws.

Reflecting on Lipner's point that Microsoft publicly reveals vulnerabilities on its website in accordance with ICO guidelines (the firm, along with Google and other tech giants, has also issued guidelines and statements on how it deals with vulnerability disclosures for a number of years) Wysopal said that today's software small start-ups are less likely to have security frameworks in place to do this.

“A lot of software today is being built by small companies that throw something up onto AWS. Smaller firms don't have a framework – they think ‘I like the product, I want to make sure it's secure, what can do I do to do the bare minimum testing.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events