All the latest UK technology news, reviews and analysis
|
|
|
01 Mar 2001
Security experts are calling for a set of guiding principles to formalise the process of reporting security vulnerabilities, claiming that in the "real world" the whole process is liable to failure.
According to a report in the latest Internet Security Conference Newsletter, authored by Ivan Arce, founder and chairman of security group Core-SDI, there are numerous "bugs in the bug reporting process".
Discoverers of bugs in software and hardware often do not have the skill or time to research the problem, making it difficult to determine if the problem actually exists, or if it is specific to the discoverer, said Arce.
Nor does the discoverer have the resources to assist the process of identifying the problem, leading to vendors being late in addressing problems due to lack of interest or resources.
There is also a noticeable lack of communication between discoverer and vendor, either because the discoverer goes directly to the forum publishing stage, or because the vendor is not responsive. Several discoverers or several vendors addressing a problem often leads to lack of co-ordination and leakage of vulnerabilities before a fix is available, leaving users vulnerable, Arce warned.
He pointed to several security bugs problems discovered by himself and other security experts at the SafeNet security conference held at the end of last year. Although these bugs were discovered more than two months ago, solutions are still few and far between.
Arce said he believed that 'proxies', individuals or groups that take responsibility for publicising vulnerabilities on behalf of the discoverer, would be helpful in co-ordinating communication and could even go some way to researching the bug. But as Arce points out, "this effort is in its infancy" and needs some serious work.
Until then, Core-SDI has issued a set of guidelines, labelled as 'A feeble attempt at improving the process', until security experts can either agree on or set out formal guidelines for bug reporting.
Arce's full report and Core SDI's guidelines can be found here.
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Lead PHP Developer - Technical Architect - Ecommerce...
C# Software Engineers required to join rapidly expanding...
Java / J2EE Software Engineers required to join rapidly...
Developer (MIS / Business Systems - SQL / T-SQL, HTML...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?