Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/21/2012
06:44 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Disclosure Clouded By Obscurity

Shockingly, the responsible disclosure debate rears its head once again, and amazingly enough some vendors still don't get it. Guess we'll never learn

Every year or so the responsible disclosure philosophical battle heats up. Some researcher unleashes a zero-day exploit after a vendor buries the bug for months. Then everyone starts pointing fingers. The researchers call the vendors names. The vendors call the researchers other names. The echo chamber on Twitter echoes. And then business returns to normal, with some companies paying researchers for bugs and others sticking their heads back in the sand.

Brad Arkin rekindled the fire at a recent conference by making the (accurate) point that security research gives the bad guys a roadmap to do bad things. Of course, the retort is that the bad guys likely already have the roadmap, which may or may not be true.

Someone on Twitter made the point that fixing bugs is a cost of doing business for software companies, which cannot be argued. And given the 90 percent plus gross margins of the software business, it's hard to shed a tear for those folks. Yes, it's frustrating for Brad to be in the cat and mouse game. But I believe the eco-system is stronger because you have _good guys_ doing research and sharing their findings, not just the bad guys using exploits, stealing data, and laughing all the way to the bank.

Unfortunately, obscurity remains the default mode for software vendors of all shapes and sizes. My pal Don Weber recently felt the repercussions of that when his Shmoocon presentation was canceled after a vendor objected to the content. As Don explained on his blog, he was going to talk about how to do security testing on smart meters, but alas at least one smart meter vendor didn't like that, so they put the kibosh on the presentation. To Don's credit, he hasn't thrown the vendor under the bus, even though their meters are clearly a steaming pile of fail.

Don's goal was to educate, not to cause harm to any of the vendors in question. The vendors felt threatened and did their best to bury the story. Smart grid buyers were able to stay blissfully unaware, continuing to write checks and life goes on. Don't let anything get in the way of the buying cycle, right? Here's the sad truth: software vendors need customers to stay dumb. Yes, that's harsh, but think about it. Smart customers are a huge liability. They want their stuff to work. They want value for what they pay for. They want their data protected. And they want bugs and security exposures to be fixed. Go figure.

Have you ever called a support desk and they were happy to hear from you? Has the VP of engineering from a software provider from ever called you up to thank you for finding a huge bug that put all of their data at risk? No? Yeah, me neither. They want the problem to be yours. A faulty configuration. A stupid user. Or maybe you need more capacity, so they get sales involved and upsell. W00t!

If you haven't worked in a software company, let's be very clear that they don't want to hear about defects, bugs, broken capabilities, or security vulnerabilities. Like anyone else, they'd rather you call and tell them how great they are. What's disappointing is that some software vendors continue to shoot the messenger, on the eve of the message being delivered. They bury the message and pray their customers remain stupid. Do you think they'd threaten to sue a customer who finds a bug in some ERP vendor's General Ledger program? Of course not. They assess the defect and fix it. Or not. And leave the the lawyers out of it.

Now that's not entirely a fair characterization because there are many enlightened software vendors out there, who appreciate research, understand how it can help them make their products better, and routinely collaborate with the researchers throughout the process. Don points out some of the folks that were helpful to him. But far too many continue to hide behind lawyers and obscurity.

And it's going to get worse as we continue to embrace SaaS and cloud architectures and the like. Because a problem in the cloud (whatever that means) can spread like wildfire to every customer of a SaaS or cloud provider. One for all and all for one! Multi-tenancy is a wonderful thing, but done wrong it basically opens up not just one customer's data, but all of the customers' data. I can't wait to see the lawsuits flying when someone wants to show how to bust a SaaS application or a cloud provider at Black Hat.

Odds are the lawyers will prevail, no one will say anything, and we'll be further away from the New School, where we actually learn from each other's mistakes. A new generation of cloud/SaaS providers will make the same mistakes over and over again, and we'll continue to run all day and all night to stay in the same place.

You know who is happiest every time this responsible disclosure discussion happens? It's the bad guys. You think they like it when a researcher publishes a zero-day they already discovered and had been monetizing? Seems to me obscurity is better for the bad guys than it is for the good guys. Ah, that old law of unintended consequences.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.