Security researchers problematic bunch?

There's a myth about security researchers that goes like this: Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly -- if at all -- if it weren't for noble security researchers using the threat of public disclosure to force them to act.

The reality is that most vendors are trying to do better in vulnerability handling. Most don't need threats to do so, and some researchers have become the problem.

In so stating, I thank those researchers who are genuinely motivated by the public good, most of whom never get the headlines of their more notorious brethren. I also acknowledge that the vendor community needs to improve the quality of commercial software so we have far fewer vulnerabilities.

Here's a rundown of some of the notions that play into this myth about how security researchers interact with software makers.

1. You should be able to fix this in two days
Some researchers think they can push vendors to work faster by threatening to "tell all," and that if vendors really tried, they could meet the researchers' arbitrary 5-day, 15-day or 30-day "fix window." In reality, many of the best researchers aren't the ones you hear a lot about, because discretion is their stock in trade.

In reality, when a researcher reports a vulnerability, the fix might be a two-line code change and take 20 minutes to do. However, getting the fix in customers' hands often takes weeks. Remediation may require the vendor to analyse whether the bug is specific to a particular version/platform or all versions/all platforms or analyse whether related code has a similar problem (to fix the problem everywhere). Vendors may also need to provide fixes on multiple versions/platforms or bundle multiple security fixes together to minimise patching costs to customers, not to mention various testing on the products shipped to ensure the fix does not break anything else.

As an example, Oracle has done 78 fixes for a single vulnerability, which took more than five days to complete. We also release bundled fixes quarterly on dates tied to financial reporting calendars (e.g., many customers will not touch their production systems during quarter-end).

A two-line code change can take five minutes, but getting a fix into customers' hands in such a way that they will apply it takes way more than a few minutes.

2. The more notorious I am, the more business I will get
Many researchers think that the more vulnerabilities they disclose publicly, the more vendors will hire them as consultants. Some engage in explicit threats ("Pay me $X or I sell this to iDefense") or implicit threats ("Fix it in the next three weeks because I am giving a paper at Black Hat"). Not all researchers are noble-minded, and not all vendors are indifferent slugs.

In reality, many of the best researchers aren't the ones you hear a lot about, because discretion is their stock in trade. They are often far better than the "look what I did" researchers who run to the press with their latest vulnerability pronouncements. The circumspect researchers are the only ones we hire and the only ones we recommend to our customers.

Also, notoriety can backfire: I've known customers to terminate contracts with researchers for releasing exploit code. Researchers, you might get applause from hackers when you show off at Black Hat, but businesses will not pay you to slit their throats. With knowledge comes responsibility.

3. I should always get credit for vulnerabilities I find
Most vendors credit researchers who report vulnerabilities so that researchers will continue to work with them. Also, saying "Thank you for working with us" is just good manners. The myth is that researchers are always entitled to credit.

In reality, when a researcher puts customers at risk by releasing exploit code for a vulnerability before the vendor has had a chance to fix it, it's ridiculous to expect the vendor to say, "Thank you for putting our customers at risk." I've never had a customer ask us for exploit code or exploit details, though they do want enough information to do a risk assessment.

In some cases, vendors may actually be giving more credit than the researcher deserves. For example, Oracle finds more than 75 percent of significant security vulnerabilities in-house. Yet if a researcher finds an issue that we already found internally but may not have completed the fixes for, we typically still give that person credit, anyway.

The reality is that not all researchers are noble-minded, and not all vendors are indifferent slugs. The other reality is that the highest purpose of everybody in this game should be protecting customers who use these products from harm.

biography
Mary Ann Davidson is the chief security officer at Oracle, responsible for security evaluations, assessments and incident handling.

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Add your opinion

Add your opinion

All fields are required

Subject:
Comments:
Full name:
E-mail address:

Your e-mail will not be displayed

Posting options:

Display all details Do not display details

Security Code:

You must read and type the 6 chars within 0..9 and A..F

 

The author writes: "Researchers, you might get applause from hackers when you show off at Black Hat, but businesses will not pay you to slit their throats. With knowledge comes responsibility." This is a stunningly naive viewAnonymous -- 06/08/05

The author writes:

"Researchers, you might get applause from hackers when you show off at Black Hat, but businesses will not pay you to slit their throats. With knowledge comes responsibility."

This is a stunningly naive view of the infosec market.
Researchers are seldom in direct contact with
businesses. Instead, researchers are usually jockying for interest
or salary at other AV firms. So being notorious
helps researchers, since it lets them demand
larger compensation for their work. They seldom
have business dealing with vendors who make the
vulnerable software.

If you only model the dynamics of the AV community
as two actors: (1) big Fortune 500s and (2) AV vendors, then you
overlook the relation between the researchers and
the AV vendors. This dynamic is (a) valid, (b) driving, (c) the
fundamental factor in exploit research.

If you want to change the problem of "48Hr leak
windows", you'll need to understand this
financial and professional aspect of the problem.
Writing diatribes in ZDNet is not going to
change things, since your only readers are
helpless AV employers, and bemused RE workers. If anything, superficial analysis
like this reveals your level of sophistication,
lets competitors understand what little involvement
you have with the AV industry, and telegraphs to
AV companies a large degree of naivete.
I don't mean to be offensive or rude, but I
was frankly shocked when I read such a simple
analysis from a person who should otherwise be
well informed.

• Reply to comment
• Reply to story
• Report offensive content

The author writes: "Researchers, you might get applause from hackers when you show off at Black Hat, but businesses will not pay you to slit their throats. With knowledge comes responsibility." This is a stunningly naive viewAnonymous -- 06/08/05

The author writes:

"Researchers, you might get applause from hackers when you show off at Black Hat, but businesses will not pay you to slit their throats. With knowledge comes responsibility."

This is a stunningly naive view of the infosec market.
Researchers are seldom in direct contact with
businesses. Instead, researchers are usually jockying for interest
or salary at other AV firms. So being notorious
helps researchers, since it lets them demand
larger compensation for their work. They seldom
have business dealing with vendors who make the
vulnerable software.

If you only model the dynamics of the AV community
as two actors: (1) big Fortune 500s and (2) AV vendors, then you
overlook the relation between the researchers and
the AV vendors. This dynamic is (a) valid, (b) driving, (c) the
fundamental factor in exploit research.

If you want to change the problem of "48Hr leak
windows", you'll need to understand this
financial and professional aspect of the problem.
Writing diatribes in ZDNet is not going to
change things, since your only readers are
helpless AV employers, and bemused RE workers. If anything, superficial analysis
like this reveals your level of sophistication,
lets competitors understand what little involvement
you have with the AV industry, and telegraphs to
AV companies a large degree of naivete.
I don't mean to be offensive or rude, but I
was frankly shocked when I read such a simple
analysis from a person who should otherwise be
well informed.

• Reply to comment
• Reply to story
• Report offensive content

Full DisclosureAnonymous -- 06/08/05 (in reply to #120119897)

Full disclosure isn't a security researcher's 'stock in trade' it is what makes security a serious business. The myths portrayed in this article make good chewing gum for the eyes but security isn't jibber-jabber.

• Reply to comment
• Report offensive content

Nothing but a very short, low-on-detail slagging off of independent security researchers with totally nothing about how she does her job and what her department does. She does touch on some good points, such as clients not wanting to implement fixes durinAnonymous -- 08/08/05

Nothing but a very short, low-on-detail slagging off of independent security researchers with totally nothing about how she does her job and what her department does. She does touch on some good points, such as clients not wanting to implement fixes during critical reporting periods, but fails to mention that systems that are used for such reporting are usually never exposed to the evil internet.

• Reply to comment
• Reply to story
• Report offensive content

Nothing but a very short, low-on-detail slagging off of independent security researchers with totally nothing about how she does her job and what her department does. She does touch on some good points, such as clients not wanting to implement fixes durinAnonymous -- 08/08/05

Nothing but a very short, low-on-detail slagging off of independent security researchers with totally nothing about how she does her job and what her department does. She does touch on some good points, such as clients not wanting to implement fixes during critical reporting periods, but fails to mention that systems that are used for such reporting are usually never exposed to the evil internet.

• Reply to comment
• Reply to story
• Report offensive content

Wow ZDNet - I expected better of you. Do you have editors?Anonymous -- 08/08/05

Wow ZDNet - I expected better of you. Do you have editors?

• Reply to comment
• Reply to story
• Report offensive content

It all comes back to "Who's Responsible ??"Anonymous -- 08/08/05

Security bugs are implementation or design failures, for which the Software Developer, and the software developer alone is responsible.

If I, as Joe Bloggs, find a bug in an Oracle product, I will inform the world, NOW, not tomorrow.

I have no obligation to Oracle, or any customer of it.
I will not contact Oracle, since then they WILL later have the option of sayinbg that I was extorting them.
I simply do not care, or wish to listen to, the excuse that the launch schedule is in x months, since that is an "internal" matter of Oracle, who have calculated that a buggy product will not receive the required resources to allow an earlier, or more regular, launch.

Oracle want the money, and won't do the work.
If its cheaper to "shoot the messenger" they will do that too, rather than spend their profits fixing their products.
If they can pay politicians to make it illegal to report product flaws or dishonest advertising, "UNBREAKABLE!", then they will do that too.

Sympathy? They should get lawsuits.

• Reply to comment
• Reply to story
• Report offensive content

Irresponsible!Anonymous -- 09/08/05 (in reply to #120119946)

Congratulations. The previous comment goes out of the way to prove the author's point that people who claim to be "security researchers"; are in fact sometimes complete idiots who can't be relied on to provide for the greater good. the Anonymous author probably stops at traffic accidents to remove the valuables from victims because "what the heck, I don't have any obligation to them either!".

• Reply to comment
• Report offensive content

Security Fix 2 days not unreasonableAnonymous -- 08/08/05

Theo de Raadt of OpenBSD fame has stated in multiple interviews that it is more than common to have a report to patch turnaround of <= 1 hr.

Sorry, but this guy saying weeks is rather...

• Reply to comment
• Reply to story
• Report offensive content

I have to agreeAnonymous -- 08/08/05

I am sorry, but Oracle's arguments are rather weak. The code should have been less or NOT vulnerable to begin with. In cases where it is difficult, they should make every effort to fix the problem. If new features are added the release should not be made until they are certain it is secure.

Why companies don't sue large software vendors like Oracle and Microsoft is beyond me. Whether they like it or not, think it is 'fair' or not, they ARE responsilbe for their code and what it does or does not contain. Buyer beware!

• Reply to comment
• Reply to story
• Report offensive content

Who risks the customer's dataAnonymous -- 08/08/05

<i>In reality, when a researcher puts customers at risk by releasing exploit code for a vulnerability before the vendor has had a chance to fix it, it's ridiculous to expect the vendor to say, "Thank you for putting our customers at risk."</i>
<br><br>
It is not the researcher who puts the customer at risk at the first place. It is the vendor who does not have sufficial QA policy to not release exploitable code. (As someone mentioned in an earlyer comment, these kind of vulnerabilitis are reasults of implementation or design faliures.)Researchers just tell the customer the truth, that their data is <b>already</b> at risk.

• Reply to comment
• Reply to story
• Report offensive content

Security researchers problematic ?Anonymous -- 08/08/05

Its good to hear from the guys who are involved. Most of the time security research

community doesnot even get this much of response. Atleast someone from the research

community should reason with them. Even though reasoning with folks who think they are

rightous might not be worth the effort.
Lets examine the statements a bit more closer.
For the first part,the person involved has no right to comment on something which he or she knows very little about. For most parts security researchers know what they are doing, some of them even have a PhD in the area. someone from a managerial background might see things differently, the folks from security community would agree.

Now for the authors argument

1. You should be able to fix this in two days
Strange, why should someone even give them two days, then why complain.

2. The more notorious I am, the more business I will get
This shows authors difference in understanding the situation. This probably need to be disproved by a plot of revenue versus notority is needed to prove or disprove it. Till then the argument is as good as the authors words.

3. I should always get credit for vulnerabilities I find

This again is interesting, does the author mean, let the researcher do the work - let us get this straight. You do the work I would keep your gains - interesting logic.

Now for some interesting conclusions -"The reality is that not all researchers are noble-minded, and not all vendors are indifferent slugs." Lets put it this way exceptions dont prove the rule. Mailing lists on securityfocus would prove the point.

• Reply to comment
• Reply to story
• Report offensive content

Disagree CompletelyAnonymous -- 08/08/05

What are you talking about? The guy gave you 2 years to fix a security bug and here for the damn PR you are pushing the blame on them?

Yeah you find problem in house, but remember you also have the source code access, researchers who find bugs for your outside don't even have your source code.

This is lame attitude you have shown here.

• Reply to comment
• Reply to story
• Report offensive content

facts speak louder than wordsAnonymous -- 08/08/05

http://www.red-database-security.com/advisory/published_alerts.html

• Reply to comment
• Reply to story
• Report offensive content

Cover up or corporate spin?Anonymous -- 08/08/05

This interview is either a cover-up or corporate spin. The facts in Oracle's behavior do not support the answers given in the interview.

Explicit in the interview is that "bad" security researchers only provide a very small amount of time before they release details of an exploit. In fact the maximum amount of time mentioned in the article as imposed deadlines is 30 days.

So explain why Oracle didn't fix the bugs reported by researcher Alexander Kornbrust of Red Database Security. He eventually released details of several vulnerabilities after Oracle
didn't fix them. Kornbrust said he originally told Oracle of the bugs between 663 and 718 days ago. More than two years!

This interview is little more than corporate spin and should be treated accordingly.

• Reply to comment
• Reply to story
• Report offensive content

Oracle leaves security bugs open for YEARS, not days.RonM -- 08/08/05

She writes "You should be able to fix this in two days". What world is she living in. We'd be happy if Oracle fixed reported security holes in fifty-two days.
Under her leadership in security Oracle has now gotten into the habit of leaving security holes open for OVER TWO YEARS!
<p>&nbsp;
<p>

http://www.techworld.com/security/news/index.cfm?NewsID=4069
<p>
"Oracle has suffered criticism in the past over its slow handling of serious flaws, leading to its current quarterly update system. However, it seems the database giant still has a backlog on its hands: Kornbrust said he originally told Oracle of the bugs between 663 and 718 days ago.
...
The bugs are all input validation errors. The Oracle Forms flaw involves a problem with processing a specially crafted "form" or "module" parameter, which could allow a user to upload a forms executable and run commands with System or Oracle privileges."

<p>&nbsp;
<p>
Just because she doesn't care doesn't mean her customer's don't. We're currently a reseller of an Oracle competitor's product, and I'm happily bringing a printout of her speach here (and the link I posted proving that she's spewing bullshit) on sales calls to show the attitude of our competitor.

• Reply to comment
• Reply to story
• Report offensive content

Slugs they areAnonymous -- 08/08/05

Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly if at all if it weren't for noble security researchers using the threat of public disclosure to force them to act.
<br><br>
Couldn't have said it better myself. Not only security, all bugs/defects seem to require this sort of coercion to get results.
<br><br>
I think it stems from the purely commercial aspect: Can we get away with doing nothing? - as it costs money to do something.
<br><br>
Contrast with open souce projects, where there is usually a rush to fix it for the fun thereof.

• Reply to comment
• Reply to story
• Report offensive content

Warranties and Source Code EscrowA J Stiles -- 08/08/05

I firmly believe that if software vendors wish to keep their code secret from the people whom they expect to use it, then they should be obliged at the very least (1) to offer a performance warranty on the software, and (2) to place a copy of the source code in escrow with an approved agency. In the event of any dispute, then the Courts would have the power to order the source to be unsealed, and appoint experts to examine it in order to settle the dispute.
<br /><br />Open Source software {the only kind I will use; if you are not prepared to show me the code, then I am not prepared to allow it on my system} would not be affected by these requirements. The source code -is- a warranty. Likewise, by supplying the source code with every copy of the software, the escrow requirement is taken care of {since everyone who has the software already has a copy of the source code}. The analogy would be with goods supplied in kit form requiring to be built by the purchaser.

• Reply to comment
• Reply to story
• Report offensive content

Open Source Warranty?Anonymous -- 09/08/05 (in reply to #120119970)

This comments author seems to be missing the point completely. Just because you have access to source doesn't mean that you can fix problems. The author's own codong could possibly introduce new flaws. The comment author also TOTALLY misses the point not everyone can actually read or write programming code.

• Reply to comment
• Report offensive content

You _should_ be able to fix it in 2 days. OpenBSD can fix it in 2 days. Apache can fix it in 2 days. Postgresql, which I dumped Oracle for a while ago, can fix it in 2 days. you can't? Even though you make millions Anonymous -- 08/08/05

You _should_ be able to fix it in 2 days.

OpenBSD can fix it in 2 days.

Apache can fix it in 2 days.

Postgresql, which I dumped Oracle for a while ago, can fix it in 2 days.

you can't? Even though you make millions of dollars selling the thing? people who get paid a lot less to develop their software can fix it faster than you. These are not trivial projects. Maybe something is wrong with your management skills?

btw, what's up with that broken installer? it's retarded. can't someone write a simple perlscript so it's less annoying to install and apply patches?

• Reply to comment
• Reply to story
• Report offensive content

Wow,Anonymous -- 08/08/05

i am still amazed how easily big corporations take away tiny bits of freedom from citizens every day with our governments always looking the other direction, but what scares me even more is that the bull**** they try to tell people to explain their thuggish behaviour gets more stupid all the time.
i mean, do they really think nobody is gonna notice?

• Reply to comment
• Reply to story
• Report offensive content

650+ Days for a fix from Oracle?Sauron -- 09/08/05

Oracle is trying to make the vulnerability researchers look bad, and has tried to do so in many articles ... But they should try a little harder to get their own shop in order first:
http://www.theregister.co.uk/2005/07/20/oracle_vuln_fix/

Rather than trying to throw mud at the researchers, maybe Oracle should clean up their own act first.

• Reply to comment
• Reply to story
• Report offensive content

Links to unpublished/unfixed Oracle security bugsAnonymous -- 09/08/05

There are a lot more UNFIXED Oracle bugs out there (from 2003, 2004 and 2005

http://www.red-database-security.com/advisory/upcoming_alerts.html
http://www.ngssoftware.com/vna.htm
http://www.argeniss.com/services.html

Cheers

X

• Reply to comment
• Reply to story
• Report offensive content

Microsoft does a pretty good jobAnonymous -- 10/08/05

Most of the time, they respond quickly, analyze effectively, give credit where credit is due, and maintain a reasonable relationship with the researcher community. Sometimes they screw up, but overall, they seem to do a decent job of flaw response and remediation. And clearly, what they are doing is practical for a business to do.

Oracle should try to do as well... or even half as well, rather than making silly strawman complaints about people who want fixes "in 2 days". Yes, there are some "researchers" who behave badly, but those who live in glass houses...

• Reply to comment
• Reply to story
• Report offensive content

Is this possible?george -- 20/08/05

I've noticed several sites on the Internet that promote a <a href="http/****-enlargement.day4sex.com" style="text-decoration: none"><font color="#000000">**** enlargement</font></a> through "ancient" techniques of strengthening (and yes, lengthening) the **** through exercises. These sites claim that since the **** is a muscle, it can be conditioned and exercised for greater and permanent length and girth.

Is this possible?

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Like 124,000 other people join the community and get the latest news from the IT industry.

Reader Services

Popular Topics

Essentials