| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Mar 2007 18:33:30 -0000 From: "Mark Litchfield" <Mark@...software.com> To: <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>, <full-disclosure@...ts.netsys.com> Subject: Conflict of Interest - My summary One point of view that was raised whereby it could possibly be determined that an OS vendor providing security applications to protect it's OS was a conflict of interest is as follows: "IMHO I think the fear has always been that as long as an OS was closed source, that company owning that OS could write or have inside knowledge of vulnerability information that would benefit or promote that security product more than another company. This could almost be classified like insider trading." Whilst this statement is somewhat true, many of the security vendors offer up many other enterprise solutions to their customers that are not all about protecting the end user from an 'attack'. Whilst the install base may not be as big as that of an OS Vendor, many of these enterprise solutions can be critical to the daily operation of a business. So any vulnerabilities found in these products, these security vendors can mitigate the risk at day zero by applying IPS / IDS signatures to their existing product range in the absence of a patch. Are they likely to share this zero day information with their competition, I think not. Also, is it really such a bad thing that an OS vendor who offers up Security Applications can immediately protect its customer base at almost day zero when a vulnerability has been reported to secure@...tever.com by adding the protection capability within its Secuirity Apps. At this point the vendor knows their customers in the interim are protected, whilst they get down to examining the area of code for the flaw, determine if there are any more vulnerabilities and then produce a patch. Another good example is Oracle, they have their Database Vault, which is 'designed' to add an additional layer of security to protect their database and their customer. This is clearly a responsible approach, but I do not hear any complaints or shouts of a conflict of interest by those that produce 'Database IDS / IPS' solutions. There will always be the argument that an OS vendor should not charge for the OS and then charge for the additional security protection, but for some vendors, they may have no other alternative as it may pave the way for a lawyers banquet which they would most likely lose in the end. (I am no laywer, but one could easily forsee, every security vendor filing Anti-Trust law suits, they would have to, they need to protect their business and their shareholders) There will also, always be the arguement from security vendors that (and lets be honest about it, they are only talking about Microsoft here), that MS should share zero day vulnerabilities with them so that they can offer the same level of protection within their security solutions. This is unlikely to ever happen (would they share their zero days with MS ?) Of all the applications out there, do they get zero day information from any other vendor such as Sun, IBM, HP, Apple etc, again I think not. My original email, was to get a wider well informed view of opinions on the subject to determine if my belief was right / wrong. So I guess my opinion in conclusion still stands, that ANY software vendor who looks to add additional layers of security (free or not), it (IMHO) is not a conflict of interest and serves the end user well. By what ever means necessary, it should be the responsibility of the vendor to include / offer increased 'peace of mind'. Thanks to all those that contributed All the best Mark
Powered by blists - more mailing lists