Re: [WEB SECURITY] Re: Oracle in war of words with security researcher

[Paul Schmehl <pauls () utdallas edu>]

--On January 27, 2006 3:59:15 PM -0800 Valkyrie <valkyrie () hacktek com> 
wrote:

> Again, my assertion goes back to failure to have received a logical 
response to
> the question, "How long is too long to fix your stuff?"

I'll answer it.

1) From the time a vulnerability is made public, a vendor should make a 
public announcement and provide a workaround or temporary "fix" within 24 
hours.
2) From the time a vendor is made aware of a vulnerability, a vendor should 
make a public announcement that includes workarounds and mitigating factors 
within 24 hours.
3) From the time a vendor is made aware of a vulnerability until a patch is 
provided for the *current* (or affected version - if still supported) 
should never be more than one month.  If a vendor can't provide a patch 
within one month of becoming aware of the vulnerability, they should either 
hire temporary additional staff or cease development and dedicate staff to 
the problem so that they can.  If fixing a buffer overflow "breaks" your 
software, maybe you need to go back to the drawing board and learn how to 
code to begin with.

If more vendors used these benchmarks, developers would learn much more 
quickly how to spot security problems in their code and avoid the same 
mistakes in their future work.  We're still seeing buffer overflows 
routinely, for crying out loud.  Surely by now *every* programmer is aware 
of bounds checking???  Surely every programmer knows by now that you don't 
accept untrusted input without defining the parameters within which it must 
fall before accepting it???

*Nothing* is more important than providing patches for existing product 
that is in production and in use by paying customers.  Every time a vendor 
takes longer or sidesteps the issue or doesn't communicate willingly and 
openly about the problem, they lose credibility.  Many times in the past, 
customers have felt trapped by monopoly software vendors who had no 
competition and therefore didn't worry about fixing problems.  I won't even 
use or recommend for purchase any security product that has ever had a 
security flaw in it that wasn't fixed quickly and openly, and if a vendor 
suffers several such failures, I won't purchase their products *ever*. 
*Any* of their products.  If they don't recognize security problems in 
their *own* code, how in God's name could I trust them to recognize 
security problems in *other* vendors' code?

The two most braindead statements of the recent past are:

Microsoft's claim that they had "eliminated buffer overflows in Windows XP" 
(at the official launch in New York), only to have eEye announce the UPnP 
buffer overflow one month later

Larry's Ellison's claim that Oracle customers could "keep their Microsoft 
Outlook, and we will make it unbreakable; and unbreakable means you can't 
break it, and you can't break in." only to have David Litchfield 
demonstrate, the very same day, how to break in to 9i and obtain the keys 
to the kingdom - the administrator account.

Vendors should be paying researchers bounties for doing their work for 
them.  Large bounties.

Apparently only mega-lawsuits will get vendors to change their ways.  With 
all the new laws requiring *customers* to maintain security or pay hefty 
fines (as was announced today), those lawsuits will soon be forthcoming. 
Will vendors then *finally* wake up?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------