Heated Debate Between Security Vendors and Researchers Continues

Independent vulnerability researchers have long been criticizing software vendors for finding the latter's security products with holes. The tension continues showing little signs of calming although there are practices of responsible vulnerability disclosure.

In the instance with Oracle Corp., the company retaliated in last week of November 2006 arguing that independent vulnerability researchers were mistaken to criticize their security practices. To this effect Eric Maurice, 'manager for security' in Oracle's 'global technology business unit' posted in a company blog that the company would not allow "external perceptions" to decide its security practices.

Experts said that software vendors required to set protocols for communicating assessment of security products to researchers both of whom have knowledge of bug information. Not doing this could result in loss of progress in 'responsible disclosure of flaws'.

Oracle's retaliation was in response to a series of articles and blog entries accusing Oracle's security. One of them was a study by U.K.-based 'Next Generation Security Software' (NGSS) that compared Oracle's 'database vulnerabilities' with that of Microsoft Corp's 'SQL Server software' and found that Oracle stood out with greater number of flaws over the last six years. A security researcher based in Argentina announced plans to work for a week in December to detect one Oracle 'zero-day' bugs everyday, but that plan was later suspended.

Given that software companies reported about disclosing their flaws, security researchers now want to hear what action is being taken after the reports are released. Bug hunters are putting the responsibility on software developers about reporting flaws.

According to the view of Paul Proctor, a 'Gartner' analyst, the debate has never changed since the beginning. Researchers expect vendors to be more aggressive and the vendors expect researchers to be more discretionary. While they both aim to make the Internet secure, their methods are different. Proctor spoke at a panel discussion on 'disclosure' at the recent 'Black Hat Security Conference'.

Cerrudo says vendors should worry more about "responsible software development" rather than 'responsible disclosure practices'. Vendors have been getting free services from researchers about how and where vulnerability is reported. This should change, as research is an expensive affair.

Related article: HD-DVD Copy Protection Proved Vulnerable To Attack

» SPAMfighter News - 12/7/2006