Thursday, July 13, 2006

Security Flaws, Hanging Them Against The Big Clock

Buffer overflows, insecure browsers, remote code execution, all common terms in the world of software security. We are surrounded by insecure applications and the big guns are not doing a thing about it. It seems like they are more profitable with insecure software applications than reliable and secure software. Everyone is fed up with the ignorance of giant software companies, but is that enough reason to go public with every security flaw you find in their software?

It won’t hurt when you go public with security flaws of a certain piece of software, if there are only three or four users of the software worldwide. But it becomes a problem if billions of people use the software.

Flashing a security flaw around for everyone to see, puts more people at risk than would have been the case when you kept it quiet. Who are you actually doing a favour? The users? Prospective users? The software company? No not one of them. You are making the job of hackers and people exploiting the flaws that much easier. In fact, you are doing their homework for them and you are feeding their sinister thoughts with sensitive information.

Many people feel they are giving software companies a blow by announcing flaws out in the open. You get the chance of getting even with the companies you hate the most. But does this really have a negative impact on the really big companies? Yes I agree smaller companies will feel the blow much harder than the larger ones, but the big guns strive on controversy because publicity is a free way of marketing your product. You may not impress everyone, but when the word gets out, your product’s name will be mentioned, that’s for sure. Just make sure you take some kind of action, just to make it look like you really care.

Companies like Microsoft and Google make huge mistakes with their products, but almost everyone seems to support them. It will take some huge flops to make people loose confidence in companies like these. This article is a good example, I’m not a huge supporter of Microsoft products. I prefer Open Source products because they are most of the times more secure and effective. But still Microsoft’s name gets mentioned. Google kept doing things right until all their fame and success went to their heads. Today they are disappointing thousands of search engine users, webmasters and advertisers, but people still use their products.

You may give companies a temporary blow by following the public route, but in the end you create new opportunities for them to make something good from something bad. Your efforts will be futile and you end up creating more problems for the software community than helping them.

Why do people think it is a good thing to go public with security flaws? It is because they think in terms of the open source community. The only way of getting an open source application fixed is by going public with the flaw. The open source community comes up with fixes to their applications in next to no time because there is such a huge pool of contributors to the community. Unfortunately you can’t follow this route with closed source applications. You are at the mercy of the software company to get the problem fixed. But you are not making things easier for them by starting a fire in the woods. They end up putting out fires instead of focusing on the root of the problem. This leads to patching the software until a new flaw appears. More patching is done until the next flaw and the process repeats itself over and over until you are stuck with a patched up application, which still can’t battle the posing threat of security flaws. You can keep patching the software but below the patches lays the real nightmare.

Patches are the result of bad development in the first place and impatient users in the second place. I agree it is not the responsibility of the user to debug the software, you pay for the software so that the software company can pay their testers to do their job properly. So what is the bottom line here? Are the intentions of closed source users the same as open source users when they go public with security flaws? Undoubtedly no. Closed source users do it out of frustration with the software companies while open source users seek for a solution to a posing threat.

What do I suggest you do next time you stumble across a security flaw? Keep it quiet for as long as possible and report it to the responsible software company. By doing this you will prevent an uncontrollable spread of exploits for this specific flaw. If the company is dedicated to fixing their software you will allow them more time to focus on the core of the problem. This will be beneficial for the end-user as well as the software company. It will make their software more secure, which will lead to greater support and consumer confidence in their product. Better consumer confidence leads to bigger profits and a responsible company uses these profits to make their product even better.

I agree that the picture I’m painting is one from a perfect unselfish world, but it will do no good to do the opposite either. Encourage people to switch to more secure applications and stop revealing each and every exploit of the less secure application.

Spend your time and energy to promote and enhance promising software instead of bad mouthing software that does not deserve the attention at all.
Coenraad de Beer - Platinum Author Platinum Author

Article Source:

No comments: