« What is with the blogging ads | Main | Cisco NAC appliance is vulnerable »

January 04, 2007

Vulnerability Pimps - I love the name

Muppet_pimps Ryan Russell from over at BigFix has a good article up on his blog today about Vulnerability Pimps.  To be fair, it seems the term has been around for a while now and most recently used by Marcus Ranum over on his site. Marcus has a good article up on his experiments using Fortify on some open source tools looking for vulnerabilities, which prompted Ryan's article. While Marcus makes some great points, one of the things that Ryan zeros in on, is the people who make a living or feed their egos by finding and announcing vulnerabilities.  So at the risk of pissing off my friend (I think we are friends these days), Ross Brown, let me bring this back up.  Marcus talks about finding vulnerabilities and his view of responsible disclosure.  He says it best here:

"One topic in security about which I have been exceptionally vocal
is the question of how to handle vulnerabilities when they are
discovered. I personally believe that the hordes of "security
researchers" that are constantly searching for new bugs are largely a
wasteful drain on the security community. The economy of "vulnerability
disclosure," in which credit is claimed in return for discovering and
announcing bugs, has had a tremendous negative impact on many vendors'
development cycles and product release cycles. Many of these larger
vendors have begun using automated code-checking tools like Fortify
in-house, to improve their software's resistance to attack. Indeed, if
the "security researchers" actually wanted to be useful, they'd be
working as part of the code audit team for Oracle, or Microsoft. But
then they couldn't claim their fifteen minutes of fame on CNN or
onstage at DEFCON."

By the way in a footnote, Marcus notes that he prefers the term vulnerability pimps, as opposed to security researcher, which is what he is. Ryan, takes a counterpoint, saying if not for the pimps, who is going fulfill this role and they do serve a purpose in getting vendors to toe the line.  I have already written what I think about this stuff.  I applaud the vulnerability researchers (pimps) finding vulnerabilities and responsibly disclosing them.  I just don't like that they do it for their own personal or corporate aims like promoting their own security tools.  Rich Mogull has a good point up about this today as well.  He is calling for February to be "the month of no bugs", after we have lived through the month of browser bugs, the month of kernel bugs and now the month of apple bugs.  I really think the good work these researchers do can be lost amid the grab for headlines that ensues.

Posted at 11:02 PM in vulnerability management |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200d834d49fcc53ef

Listed below are links to weblogs that reference Vulnerability Pimps - I love the name:

Comments

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About