Feeds

Show us the bugs – users want full disclosure

Test case needed

  • alert
  • submit to reddit

SANS - Survey on application security programs

End-users overwhelmingly support the full disclosure of security vulnerabilities, according to a recent survey by analysts Hurwitz Group, which demonstrates widespread frustration about vendor responsiveness to security issues.

Based on interviews with more than 300 software security professionals, the report shows that end users overwhelmingly support full disclosure - announcing security vulnerabilities as soon as they are discovered. The end users surveyed for the report are clearly angry that vendors are releasing insecure applications, and then not responding when flaws are detected, Hurwtiz reports.

"They see full disclosure in public forums and in the press as the only way to force vendors to respond to vulnerabilities caused by poorly written and insecure code. In fact, end users overwhelmingly support full disclosure even if it means exposing security flaws within their organisation that could have a negative impact on their company," it writes.

The research also shows that most end users want the information published and many want it published immediately. A full 39 per cent of respondents said that vulnerabilities should be disclosed upon discovery, with another 28 per cent wanting disclosure within one week.

The study undermines attempts by vendors, most notably Microsoft, to create a charter for the "responsible disclosure" of information of security vulnerabilities which would restrict the release of information about bugs. According to this line of thinking, disclosure should be delayed by up 30 days to give software vendors time to patch a system.

To openly discuss exploits of software bugs is leading to "information anarchy" and undermining Internet security, according to Microsoft. Three out of four security software professionals disagree, Hurwitz finds.

The study indicates a mounting frustration with users about security problems - and the general quality - of computer software. Users may soon seek to use the law to punish software vendors for these problems, Hurwitz suggests.

In the past, end users have had limited legal options, since product liability laws currently protect software vendors, but this may soon end, Hurwitz believes.

"Companies are so angry that they are now willing to take vendors to court," said Pete Lindstrom, Director of Security Strategies at Hurwitz Group. "I think we will soon see test cases in the courts to try to develop some requirements and standards for vendors. It will be interesting to see whether those cases will be successful, and whether standards will ultimately solve the problem for end users." ®

Related Stories

Setback for security through obscurity scheme
MS 'Security Framework' is another .NET vulnerability

External Links

Who's Liable for Security Bugs? Stuck Between a Rock and a Hard Place with Full Disclosure, report by Hurwitz Group

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.