« Questions to Amrit on effective vulnerability management | Main | Google-DoubleClick, memories of days of the Internet gone by »

April 13, 2007

Are we at risk for not allowing white hats into web web apps?

Joris Evers at CNET has a good article up on whether we are all at risk because supposed white hats are afraid of potential legal prosecution for hacking into web apps without permission.  Jeremiah Grossman of White Hat Security (and a past guest on our podcast) is quoted as saying that: "We're losing the Good Samaritan aspect of security".  He uses the gun law analogy that if we make it illegal to find vulnerabilities in web sites, only bad guys will find them.  Sort of like if it is illegal to own guns, than only bad guys will own guns.  I disagree with the gun analogy and I disagree with Jeremiah on this one.  I just think there is too much room for abuse to allow condone people hacking into web sites.  Who really knows what their motives are.

Evers brings up the case of Eric McCarty who hacked into USC's online application system.  Many who support the idea of White Hats being allowed to hack in originally were sympathetic to McCarty's plight. Further investigation revealed however that McCarty may not have had the "good sumaritan" motives driving his actions. In fact there may even have been elements of spite and revenge there. So I think that it is too much to trust the motives of anyone hacking into a web app and it needs to be illegal without permission

This also brought up a conversation I had with Thomas Ptacek on our podcast a couple of weeks ago.  Most every web app being sold and used by the enterprise is now being subject to 3rd party audits by companies such as Matasano and White Hat Security.  I think that is a good thing and see nothing wrong with such investigation and certification being done with permission in a paid engagement like that.  When you have people hacking in for no reason other than their good will though, I have a problem with everyones motives being the same.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Are we at risk for not allowing white hats into web web apps?:


My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.


Lijit Search

Blog powered by TypePad
Member since 10/2005