PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
Is 45 days enough time to patch a security flaw in software? The Computer Emergency Response Center (www.cert.org) thinks so. On Oct. 9, the respected, government-funded computer-security organization set that period as the maximum from when CERT notifies a software company of a flaw to when a solution must be issued. If the company fails to provide a fix within the allotted time period, CERT will notify the information security community via its Web site. This would give system administrators running the flawed programs a chance to protect themselves from attacks.
In theory, that should apply additional pressure on software makers to kill bugs quickly and create a more standardized procedure to deal with a growing industry problem. "It's a good move. It means the vendors will no longer be able to drag out the process of information about vulnerabilities," says Elias Levy, chief technology officer of information security portal Security Focus (www.securityfocus.com).
For the most part, software companies agree with the new CERT policy, which emphasizes that, in some cases, public disclosures could come either sooner or later, depending on the specifics of the situation. "I think it will probably be a good thing because maybe it will encourage folks who don't have well-worked out response programs to get with the program," says Steve Lipner, the manager of Microsoft's security-response center (www.microsoft.com/security).
INVITING ATTACKS. CERT's laying down the law represents only a first step toward a much-needed government-enforced standard protocol for handling security breaches in computer software. Of course, not everyone thinks it's the right step.
Many software companies argue that exposed bugs should be kept under wraps until coders have an ample chance to fix the problem. The theory here is that exposing a flaw before a patch is created just invites attacks and more trouble. That's particularly true, they say, if hackers post the actual computer code used to exploit the software vulnerability as part of the notification itself -- a fairly common practice.
Providing this code makes it far easier for unskilled malicious hackers to execute dangerous attacks quickly against unsuspecting companies that have yet to patch the hole. "It's like strewing loaded guns around a playground," says Lipner.
EASY FIXES. Some computer-security professionals feel that lack of disclosure in any form, be it source code or simple notifications, actually encourages "security through obscurity." That's hacker-speak for the head-in-the-sand approach of software companies that sometimes indefinitely hide vulnerabilities from their customers for fear of losing sales or smudging their reputation. In many cases, rapid notification serves everyone well, claims Alan Paller, research director of the Systems Administration, Networking & Security Institute (SANS).
Many vulnerabilities have easy fixes such as changes in firewall settings or e-mail filters, says Paller. "If you think about these attacks, the ballgame only lasts a few weeks. Their greatest risk is in the first few weeks when people don't have defenses up," says Paller.
The simple solution, of course, is to significantly reduce the number of bugs in the first place. To be sure, eliminating all the glitches in computer programs isn't possible. Operating-system software, such as Windows, often has millions of lines of code interacting not only within the program but with countless other programs. That makes for trillions of potential permutations, each representing a possible security flaw. Still, most breaches should never get to the public in the first place.
WHO TO SUE? SecurityFocus' Levy would make software companies liable for damages resulting from security breaches. "Only then will they have a financial incentive to produce secure software," says Levy, who adds: "Can you think of any other industry were you can't sue the vendor for a defective product?"
The bottom line? CERT's decision probably will have little effect on the way companies seek solutions to security flaws. Other sources, including SecurityFocus' Bugtraq e-mail-updates, often have more information on current flaws. But the respected CERT carries a big stick in the security community, and it could serve as a wake up call to Congress that some regulatory framework is needed.
That framework could come in the form of a larger governmental regulatory agency, or perhaps a private-sector nonprofit vulnerability clearinghouse funded by computer security software companies themselves. Yes, any governmental intrusion will likely raise the hackles of hackers and software makers alike. But unless the companies can come to an agreement among themselves -- and give self-policing some teeth -- then Uncle Sam should step in and lay down the ground rules rather than allow each company to set its own.
Salkever covers technology for Business Week Online
Copyright 2000, by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
