SecurityRatty: Product Vendor's sloppiness vs. Hacker's intelligence

This is cache of http://ravichar.blogharbor.com/blog/_archives/2007/1/8/2633707.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.

Product Vendor's sloppiness vs. Hacker's intelligence

2007-01-08 07:01:06 by RaviC in Musings on Information Security

There is a news item about a serious vulnerability in a popular software which generates a lot of buzz. Security community talks about how hackers have evolved in terms of their attack methodology and motive. Product vendors are blamed for their tardiness in response. The story repeats again ad infinitum. Am I excited to hear the story over and over again? No way! I am bored of repetitions.

Consider this scenario: Hacker finds a vulnerability with a product from a vendor.

Vendor has access to all the source codes. Vendor has the knowledge about the functional design, architecture, bugs, future roadmap Et. Al. Moreover, a vendor has the money and other valuable resources.

Hacker does not have access to the source code in most cases. Hacker does not have all the details about the functional design, architecture, bugs, future roadmap Et. Al. Pragmatically speaking, a hacker is trying to break into a blackbox with limited resources.

There is a clear information asymmetry between a vendor and a hacker. This information asymmetry is an excellent leverage for a vendor over a hacker. With this leverage and resources at a vendor's disposal, a vendor can do a lot more to prevent vulnerabilities in the shipped products than what is being currently done.

If a hacker finds a vulnerability in a product. I am more inclined to point finger at the vendor's sloppiness than heaping encomiums about the hacker's intelligence.

How about making it mandatory for a vendor to disclose the process employed to assure security in the vendor's product offerings?