[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey

To: "'Dave Mann'" <dmann@bindview.com>, "Steven M. Christey" <coley@linus.mitre.org>
Subject: RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey
From: David LeBlanc <dleblanc@microsoft.com>
Date: Fri, 22 Sep 2000 12:17:45 -0700
Cc: cve-editorial-board-list@lists.mitre.org
Delivery-Date: Fri Sep 22 15:21:20 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

Title: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey

-----Original Message-----
From: Dave Mann [mailto:dmann@BINDVIEW.COM]

David LeBlanc wrote:
> Academia (and I can speak from experience on this one, as my name can
> properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of the most

Allow me to finish this sentence to suit my own needs!

Academia is easily one of the most experienced in dealing with these
sorts of issues. We should borrow heavily from them if it helps.

Academia fairly well recognizes that people can and do work on the same things in parallel. Thus the race to be first is a little less childish, and it is accepted that two or more researchers might publish on the same topics closely together. One facet commonly found in actual scientific research, as opposed to the advisory nonsense, is that of follow-up work. It is very rare to see an academic paper which doesn't contain suggestions for future research.

[FWIW: A Budget Of A Trisection from the Springer-Verlag library makes a
great read on the subject of non-credentialed mathematical crack-pots.
It may shed some light on the noise we see in mailing lists.]
Got a pointer?

============= TANGENTIAL COMMENTARY BEGINS HERE ================

For those debating the relative merits of security advisories,
I offer up the following snippets from an article recently
written by Al Berg and published by ICSA in Information
Security Magazine.

"When you buy a vulnerability scanner, you are buying expertise...
Hence, before choosing a vulnerability-scanning product, you should
take a careful look at the team supporting it... A good indicator of
the technical savvy of a vendor's team is the number and quality of
papers, advisories and tools it has authored."

One could challenge Mr. Berg's assertion by citing a chicken and
egg paradox. To whit, has Mr. Berg merely bought into the marketing
hype of vendor advisories hook, line and sinker? Or, are advisories,
the quality of the research team and the quality of the tools
directly related?   It's an interesting question but it is totally
missing the point.

He's bought in, hook, line and sinker. I can tell you from experience that there is little intersection. The business of writing security checks has little to nothing to do with writing advisories. I've written a very large number of checks, and my checks are typically robust. I've written very few advisories, as I feel like my time was better spent doing something that provides value to customers - a better product does this, advisories provide less value. Also, some of the people who come up with the most advisories do not write particularly robust code, nor do they often substantially contribute to others writing more robust checks. In fact, if you look, you find that many advisories never get turned into checks at all. I will grant you that some security expertise is needed to write checks, but what is far more important are good programmers who can take a methodical approach to writing robust code that avoids false positives and negatives. In fact, the ability to write a solid check often depends not on an understanding of the actual exploit, but on an ability to test accurately for behavioral differences between patched and unpatched versions of a software. The advisory or actual exploit is just the start - it is quite common to have an exploit that can determine if a vulnerable system is present, but also claims that several unrelated systems are vulnerable - these false positives have to be dealt with. There may be some correlation, as a company that is well-funded enough to support an advisory team is often well funded enough to support professional programmers and testers, but it is largely coincidental, not causal. There are also so many vulnerabilities reported that a security auditing tool is doing well to keep up with incoming issues, much less spend resources creating new ones. Bottom line is that the typical hacker writes really low-quality code. High quality code is what you want in a security tool.

Whether or not they have real technical merit, security advisories
are an established feature in the marketplace. To deny this is
to ignore market realities. Until that reality changes, they have
value.

Yes, and associating drinking cheap American beer with getting hit on by supermodels seems to sell more beer. It's about the same thing. Marketing is about creating a fantasy.

Prev by Date: Re: Final position RE: [CVEPRI] Handling new vulnerabilities disc overed by Steve Christey
Next by Date: [CVEPRI] Proposal: An open letter on responsible disclosure
Prev by thread: RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey
Next by thread: Final position RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Index(es):
- Date
- Thread