One of my favorite movies of all time is The Big Chill, and one of the best conversations in the movie is between Michael and Sam:
Michael: I don't know anyone who could get through the day without two or three juicy rationalizations. They're more important than sex.
Sam Weber: Ah, come on. Nothing's more important than sex.
Michael: Oh yeah? Ever gone a week without a rationalization?
Rationalizations help justify our shortcomings. Without them, most people would live in a constant state of depression and inadequacy. While reviewing the latest Oracle Security Update I found this article written by Mary Ann Davidson (Chief Security Officer, Oracle) on the problems with information disclosure. I could not disagree more with her position. The whole article boils down to one huge rationalization for Oracle’s sluggish response time for fixing security bugs.
“There's a myth about security researchers that goes like this: Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly--if at all--if it weren't for noble security researchers using the threat of public disclosure to force them to act.”
I consider this to be a fairly accurate generalization of the software industry rather than a myth. Notice how she says the “threat of public disclosure”. This is very telling in and of itself as to her views of security. Responsible public disclosure is not a threat. It is the light that purifies.
Her main beef is with security researchers. In reality, most security researchers will decompose and application to find vulnerabilities, alert the company with in depth technical details (and usually include working code that exploits it), give them a time frame to come up with a fix, and then notify the public of the general details of the vulnerability. The information they disclose in itself is not enough to create an exploit, although it is enough for hackers to begin analyzing the application to create one. Companies often hire these researchers either proactively or in response to a vulnerability they find.
Security researchers fall into the white hat camp. Their intentions are pure and their ability to make a living depends on their integrity.
Davidson depicts security researchers and public disclosure as a culture of extortion, releasing of exploit code, and other criminal acts. She conjures images of Russian hackers who used extortion schemes to make hundreds of thousands of dollars during the dot com bubble. The current laws in the US have an extreme slant towards protecting corporations, rather than the consumers they put at risk. If her depiction was even remotely accurate, the FBI could be called in to overzealously prosecute offenders at a moment’s notice.
If rationalization helps her sleep at night, after releasing a quarterly update that fixes 36 bugs (on some platforms and not others) and doesn’t address upwards of 50 other known vulnerabilities dating back to February of 2005, well then God bless. She may want to consider the approach that Microsoft has taken, which includes a responsible public disclosure policy among other things. Over the past 3 years, we in the security industry have seen a marked improvement not only in the speediness of their response to a vulnerability, but also in the initial quality of their products. No rationalization required.
-Eric Marvets