[WEB SECURITY] Should software vendors come clean about application vulnerabilities?

Anurag Agarwal anurag.agarwal at yahoo.com
Sat Dec 2 15:55:28 EST 2006

only 3 takers for this. Looks like its not that popular a topic. I am sure there are more then vendors on this list. 

----- Original Message ----- 
  From: Greenarrow 1 
  To: Michael Sutton ; WASC Forum ; anurag.agarwal at yahoo.com 
  Sent: Thursday, November 30, 2006 5:13 PM
  Subject: Re: [WEB SECURITY] Should software vendors come clean about application vulnerabilities?

  Actually this is like jumping through hoops and hurdles.  Who is, what if, and a lot of other questions fall in to play.  Was the software, program adequately tested before release?  What benchmarks were used?  There is a tendency today of getting a product to market asap regardless of flaws as long as they are not critical.   The developer tells management the product is not secured enough and the manager tells the developer get it out as we are losing time and money.  I have seen this in many software and even with some operating systems (not to mention names).  

  Secure coding is also in the picture and I can tell you this there is a high lack of secure coding going on today.  Being a computer forensics professional I can relate to the amount of security flaws in generated programs today and until IT understands that security is part of the picture we will all be doomed to flawed programs.  I often wonder just how much greed plays a role in this as in today's market it is the money that counts and not the safe guarding of a program or hardware.  The user trusts the maker to produce a secured program and is not suppose to be the computer nerd to see flaws.  I have even seen major corporations install programs without thoroughly testing them because they trust the maker so just do not blame the end user (which most would not even recognize a flaw) by saying it is their fault as stated in a previous email.  

  Finally colleges are including full security within their computer courses for management.  This was lacking for many years and it was shown by the lack of management to support good security within their programs.  With education, seminars, and conferences now pushing security we can look forward to better development of both software and hardware if by chance it does penetrate the old time antics of some management personae. 

    ----- Original Message ----- 
    From: anurag.agarwal at yahoo.com 
    To: Michael Sutton ; WASC Forum 
    Sent: Thursday, November 30, 2006 9:59 AM
    Subject: Re: [WEB SECURITY] Should software vendors come clean about application vulnerabilities?


    you made an interesting point. However, the end user still doesnt know what to expect. Application security is still evolving and lack of benchmarking criterias are not helping much either. If someone is purchasing a product X from a company Y, they wont even know what kind of questions to ask from the security perspective. And even if they ask "are there any known security vulnerabilities?", we all what the reply would be. As for small company purchasing a single license vs a large corporation buying multiple licenses...in my personal experience, small companies do more due diligence as compared to large organizations, who are mainly concerned with the compliance. so who is going to make the vendors pay more attention towards security?


    ----- Original Message ----
    From: Michael Sutton <msutton at spidynamics.com>
    To: WASC Forum <websecurity at webappsec.org>
    Cc: Anurag Agarwal <anurag.agarwal at yahoo.com>
    Sent: Thursday, November 30, 2006 9:34:42 AM
    Subject: RE: [WEB SECURITY] Should software vendors come clean about application vulnerabilities?


    IMO, the end user must ultimately be responsible for their own security. I’m not in general an advocate of legislation to protect the consumer. That said, end user’s generally fail to recognize the power that they have in influencing vendor actions. As a purchaser of any vendor’s products you have every right to insist that the vendor adhere to certain standards before you are comfortable purchasing their software. Now if you’re purchasing a single license it is unlikely that the vendor would be willing to change their business practices for you. If on the other hand, you’re a large corporation/government institution purchasing an enterprise license, that same vendor will be willing to jump through many hoops for you. In the past, I have encountered great frustration attempting to report security vulnerabilities to vendors unwilling to listen only to later sit in on a conference call with an influential client asking that same vendor about those same vulnerabilities and was witness to a very different response. End users need to exert their power and keep software vendors honest.

    How much testing is enough? There’s no scientific answer to that question, only a business answer – when the cost to find further vulnerabilities exceeds the value that can be derived from finding them. No vendor of vulnerability assessment products would (should) ever be foolish enough to suggest that any and all vulnerabilities could be found using their product. However, being able to state that your products have been tested by product X which uncovered no vulnerabilities is one important level of assurance. Once again, the level of assurance required must be determined by the end user. Vendors cannot be expected to open the corporate kimono for every potential buyer to conduct an independent audit of their products, but fortunately, numerous classes of standardized audit exist for various situations…too many perhaps. Do you need a SAS 70, PCI, common criteria, BS7799, etc. audit/certification for your product? That depends on what your potential clients are (or should be) demanding.

    End users have great and often unrecognized power to shape the industry. I encourage them to take advantage of it.

    Michael Sutton

    Security Evangelist

    SPI Dynamics



    From: Anurag Agarwal [mailto:anurag.agarwal at yahoo.com] 
    Sent: Thursday, November 30, 2006 1:53 AM
    To: WASC Forum
    Subject: [WEB SECURITY] Should software vendors come clean about application vulnerabilities?

    Should software vendor come clean about application vulnerabilities?

    I am not sure if this topic has been discussed before in this forum. I would like to start a debate on this topic if people in the forum are OK with it.

    Here are my questions:

    1. The end user is the victim here as he doesnt know what he is getting into. He is using a product and has a false sense of security as the vendor claims his software has no vulnerability. 

    2. The vendor may or may not have the knowledge of any vulnerabilities in his application BUT has he done his due diligence?

    3. Assuming the vendor has run an automated tool (appscan, websinepct) to scan the application but is that enough? Will the tools find all the vulnerabilities?

    4. Should the vendor outsource vulnerability assessment to a third party (for example whitehat, etc)?

    5. What would constitute a vendor has done his due diligence? Are there any standards he can follow?

    I would really like for this forum to debate on this topic and who knows maybe that would give an insight to the future of application security.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061202/a034b35d/attachment.html>

More information about the websecurity mailing list