Home > IT, Security > The Chilling Effect

The Chilling Effect

January 17th, 2007 Leave a comment Go to comments

The website CSO Online identifies itself as the "Resource for Security Executives"... and for that reason, there are plenty of stories on the site that don't necessarily interest me... A recent story, The Chilling Effect by Scott Berinato, caught my eye as it comes at a time when everyone is talking about Disclosure; Responsible Disclosure vs Full Disclosure. The tag line attached to the article sums it up nicely:

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.

The 6 page story,  which includes comments from Jeremiah Grossman and RSnake, doesn't look at your classic "off the shelf" or "out of a box" software... It looks at web applications, at vulnerabilities such as XSS and discusses how disclosure can work in the "Web Environment".

It's an interesting topic of discussion. These days it's not uncommon to "stumble" upon an XSS or SQL Injection attack... sometimes it's as simple as changing a GET variable to disclose another's information... Then you have the ethical, and legal, question... "Do I report it?". It seems that a lot of companies are unhappy when a web-based attack is reported on their websites. Rather than thank you and fix the code, they want to harass you and come after you from a legal standpoint and when this happens... it's the logic of the company involved that I fail to understand.

I, for one, would be rather someone report a vulnerability in one of my websites to me, it's better than a visitor being taken advantage of by a malicious party.

Vendors want responsible disclosure... perhaps the "standard" Vendor should work to push the benefits of responsible disclosure on companies with web-based applications, or even non-IT companies that have a web presence. Microsoft, for example, a champion of responsible disclosure, should provide literature to companies on the positive benefits of responsible disclosure over full disclosure. The supporters of responsible disclosure could even start a legal fund to back those who are currently willing to responsibly disclose web vulnerabilities.
If security researches, hackers, or any other term you want to use, could report web-based vulnerabilities, responsibly, without fear of retribution and with the expectation of a simple thank you email, I think it'd be a great start towards making the net a safer place for everyone.

Categories: IT, Security Tags:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. No comments yet.
  1. No trackbacks yet.