lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: kspett at spidynamics.com (Kevin Spett)
Subject: Re: [VulnDiscuss] HP Full Disclosure Story

    Vendors need to realize that security is *their* responsibility.  People
do *not* understand this.  There are very few software vendors who take the
time and money (and it requires a lot of both) to make sure that their
engineers implement secure coding practices and that security is considered
in the QA cycle.  The fact that HP could not respond quickly and that there
was a quene of security-related problems being worked on is a great example
of this.  New security problems should always be treated as if malicious
hackers already know about them and are exploiting them.  HP obviously needs
to invest more money in security.  One of these days someone is going to
publish an "Unsafe At Any Speed" paper for IT security and this will change
because it will begin to affect company's stock prices.  Until then, vendors
will go on not caring.
    When a researcher reports an issue to them, they are doing a favor.  A
big one.  They are helping make that company's customers more secure,
something the companies don't seem interested in doing themselves.  I happen
to think that alerting companies to security issues is the right thing to
do, but I do realize that others feel differently.  In the end, you cannot
force altruism on people.  If people don't want to disclose bugs to vendors
(and if they're met with the HP attitude, they won't) they don't have to.
The condescending and belittling attitude of the HP security person was
simply unexcusable.  Tamer was doing them a favor by giving them a heads-up
before he published his advisory.  He just wanted to know how quickly they
were going to fix it and how things were going.  That's a small price for
the service of security QA.  Not only is HP's policy of never telling anyone
anything asinine, but their security contact person's attitude was poor.
The "$50 billion dollar company" and 9/11 remarks simply amazed me.  While I
realize that the HP employee might not have set up the policy he was working
within, his defense of it and the way he chose to implement it make it clear
that he was supportive of it.  This is not a case of screaming at a phone
company operator because you disagree with a charge on your bill.  Their
security contact guy needs to realize that he is just cog in a "$50 billion
dollar" company and that doesn't care enough about his department to give it
adequate funding and staffing resources.
    Also, I think that NGS Software has an excellent way of handling these
types of incidents with their vendor notification alerts.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

Please note that the ideas and opinions expressed in this message are mine,
and are not neccessarily endorsed by SPI Dynamics.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ