[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: Re: [WEB SECURITY] Re: Oracle in war of words with security
From: Paul Schmehl <pauls () utdallas ! edu>
Date: 2006-01-28 5:05:42
Message-ID: F45A03EFCAA1808C3F8136A9 () Paul-Schmehls-Computer ! local
[Download RAW message or body]
--On January 27, 2006 3:59:15 PM -0800 Valkyrie <valkyrie@hacktek.com>
wrote:
> Again, my assertion goes back to failure to have received a logical
response to
> the question, "How long is too long to fix your stuff?"
I'll answer it.
1) From the time a vulnerability is made public, a vendor should make a
public announcement and provide a workaround or temporary "fix" within 24
hours.
2) From the time a vendor is made aware of a vulnerability, a vendor should
make a public announcement that includes workarounds and mitigating factors
within 24 hours.
3) From the time a vendor is made aware of a vulnerability until a patch is
provided for the *current* (or affected version - if still supported)
should never be more than one month. If a vendor can't provide a patch
within one month of becoming aware of the vulnerability, they should either
hire temporary additional staff or cease development and dedicate staff to
the problem so that they can. If fixing a buffer overflow "breaks" your
software, maybe you need to go back to the drawing board and learn how to
code to begin with.
If more vendors used these benchmarks, developers would learn much more
quickly how to spot security problems in their code and avoid the same
mistakes in their future work. We're still seeing buffer overflows
routinely, for crying out loud. Surely by now *every* programmer is aware
of bounds checking??? Surely every programmer knows by now that you don't
accept untrusted input without defining the parameters within which it must
fall before accepting it???
*Nothing* is more important than providing patches for existing product
that is in production and in use by paying customers. Every time a vendor
takes longer or sidesteps the issue or doesn't communicate willingly and
openly about the problem, they lose credibility. Many times in the past,
customers have felt trapped by monopoly software vendors who had no
competition and therefore didn't worry about fixing problems. I won't even
use or recommend for purchase any security product that has ever had a
security flaw in it that wasn't fixed quickly and openly, and if a vendor
suffers several such failures, I won't purchase their products *ever*.
*Any* of their products. If they don't recognize security problems in
their *own* code, how in God's name could I trust them to recognize
security problems in *other* vendors' code?
The two most braindead statements of the recent past are:
Microsoft's claim that they had "eliminated buffer overflows in Windows XP"
(at the official launch in New York), only to have eEye announce the UPnP
buffer overflow one month later
Larry's Ellison's claim that Oracle customers could "keep their Microsoft
Outlook, and we will make it unbreakable; and unbreakable means you can't
break it, and you can't break in." only to have David Litchfield
demonstrate, the very same day, how to break in to 9i and obtain the keys
to the kingdom - the administrator account.
Vendors should be paying researchers bounties for doing their work for
them. Large bounties.
Apparently only mega-lawsuits will get vendors to change their ways. With
all the new laws requiring *customers* to maintain security or pay hefty
fines (as was announced today), those lawsuits will soon be forthcoming.
Will vendors then *finally* wake up?
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
-------------------------------------------------------------------------
This List Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic