Theory and practice behind full disclosure of security vulnerabilities
The development and usage of software has seen a wide spread the last decade, and software systems are now present in each device. A huge war has been declared between the giant software development companies and the competition is very important, in addition to the fact that users are now more mature and demanding better and more efficient features. The efficiency of software cannot only be determined by the performance and business efficiency, but also the security and bug free characteristics. Developing and assuming that a software is non-vulnerable is a quite a difficult task. A lot of tests and verification processes should be conducted to make sure that the software is stable. Even after all the software planning and tests, vulnerabilities could be detected later. Hackers are also working hard to break most of the ‘secure’ systems. The security experts have done a lot of work in term of determining how could hackers take advantage of system weaknesses. An Important set of tools have been developed for vulnerabilities scanning which target specific systems and test their behaviour to determine whether the specific attack could pass the security measures of the system. It can be compared to the IDS which has a database of known attacks and use this details to determine if a packet or a sequence of packets could make a possible tentative of security breach (Schneier, 2001).
It is obvious that this kind of systems should be kept always up to date and a huge effort should be done in term of standardising and vulnerability sharing to allow a better security and early recognition and avoidance of any attack. Software and systems might contain a segment of codes that could be used as a door to attack the system, known as vulnerability; it has also been defined by many security experts as a weakness in the design of the system which could be diverted and applied as a way to apply any type of attacks against the original system (DOS, Crack, Sniffer…etc.).
Full disclosure of software vulnerabilities consists in publishing as soon as weakness or possible vulnerability is suspected in a software product. This approach as explained earlier allows the security experts to check the security of their systems and avoid the use of the detected vulnerability against them (CHAMBERS, 2004).
In 2001, Scott Culp the manager of security response at Microsoft described the current practices in term of publishing security vulnerabilities to be “information hierarchy” and added in the same article that we could all be safer if researchers keep details about the vulnerabilities details and avoid arming hackers with tools that could be used against other systems or companies. This is a very important question, should security expert publish details about vulnerabilities quickly to allow others to use these details and secure their systems, or avoid this kind of approach to avoid hackers use any sensitive data to attack non secure or corrected systems?
References
– Bruce Schneier (2001).Crypto-Gram Newsletter November 15, 2001. Available at: http://www.cs.duke.edu/courses/cps182s/spring06/papers/schneier-full-disclosure.pdf
– JOHN T. CHAMBERS (2004). Vulnerability disclosure framework final report and recommendation by the council. Available at: http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
The development and usage of software has seen a wide spread the last decade, and software systems are now present in each device. A huge war has been declared between the giant software development companies and the competition is very important, in addition to the fact that users are now more mature and demanding better and more efficient features. The efficiency of software cannot only be determined by the performance and business efficiency, but also the security and bug free characteristics. Developing and assuming that a software is non-vulnerable is a quite a difficult task. A lot of tests and verification processes should be conducted to make sure that the software is stable. Even after all the software planning and tests, vulnerabilities could be detected later. Hackers are also working hard to break most of the ‘secure’ systems. The security experts have done a lot of work in term of determining how could hackers take advantage of system weaknesses. An Important set of tools have been developed for vulnerabilities scanning which target specific systems and test their behaviour to determine whether the specific attack could pass the security measures of the system. It can be compared to the IDS which has a database of known attacks and use this details to determine if a packet or a sequence of packets could make a possible tentative of security breach (Schneier, 2001).
It is obvious that this kind of systems should be kept always up to date and a huge effort should be done in term of standardising and vulnerability sharing to allow a better security and early recognition and avoidance of any attack. Software and systems might contain a segment of codes that could be used as a door to attack the system, known as vulnerability; it has also been defined by many security experts as a weakness in the design of the system which could be diverted and applied as a way to apply any type of attacks against the original system (DOS, Crack, Sniffer…etc.).
Full disclosure of software vulnerabilities consists in publishing as soon as weakness or possible vulnerability is suspected in a software product. This approach as explained earlier allows the security experts to check the security of their systems and avoid the use of the detected vulnerability against them (CHAMBERS, 2004).
In 2001, Scott Culp the manager of security response at Microsoft described the current practices in term of publishing security vulnerabilities to be “information hierarchy” and added in the same article that we could all be safer if researchers keep details about the vulnerabilities details and avoid arming hackers with tools that could be used against other systems or companies. This is a very important question, should security expert publish details about vulnerabilities quickly to allow others to use these details and secure their systems, or avoid this kind of approach to avoid hackers use any sensitive data to attack non secure or corrected systems?
References
– Bruce Schneier (2001).Crypto-Gram Newsletter November 15, 2001. Available at: http://www.cs.duke.edu/courses/cps182s/spring06/papers/schneier-full-disclosure.pdf
– JOHN T. CHAMBERS (2004). Vulnerability disclosure framework final report and recommendation by the council. Available at: http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
