Vendors, Disclosure and Patching problems – an open letter by IT Security Geeks

When I read this link,

AN OPEN LETTER TO SOFTWARE VENDORS

I lived a well-known story I saw many times…  I totally agree with them, and I would like to add some word to their letter:

@hdmoore linked the Rapid7 Disclosure policy: 60 days as maximum time given to the Vendor to patch… they are many, in a working environment. If you need more time to fix a “standard” vuln (memory corruption, sql injection, XSS, RFI, …) please re-think one of your process: do you develop bad code, with too many security bugs? Do you not undertake a correct Risk Analisys? Is your Incident Team too slow to address the issue after the Security Researcher/Consultant/Pentester submitted the bug?

 

Dear vendor,

until your Development Processes + Incident Handling Teams/Process + Risk Analisys & Management Structures will not communicate and will not see themselves as interrelating structures, you will not get even closer to real security. Your “quick” response (2-3 months or even a year!) is inappropriate to this new world.

Bad guys have twitter to share vulns in 15 minutes; they google your watermarks to find your product deployed on small or big companies! Small sites/companies are attacked for anonymization, DDOS, find customer’s data, spam, phishing, … and big ones can be totally owned for you vulns.

Yes, bad guys can own a company because of your bugs: just think about it, if I have found a big issue in only 5 days, what could an “armed&dangerous” team do in 3 months? And why will they target you? Who knows, perhaps because one day someone will look at you old-fashioned-web1.0-app, with no ajax and few css support, and will start thinking “how old this one is?”…

Please, stop thinking “I have reviewed my policies/processes 4 years ago, they are ok”… No, they’re not, 4 years ago no one used twitter or FB or google+ like today. 4 years ago cloud services waere pioneristic! 4 years ago there were not Stuxnet or DuQu, integrated malaware with extensive capabilities.

You have to rethink yourself as attackers became more powerful, and world goes on… If you think about it now, you have time to do big changes that will lead to a more secure state, if you continue delaying, please believe me when I say that tomorrow could be too late for your business

Kind Regards

A Senior Security Consultant

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s