 |
|
| technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
CERT steps up disclosure of security holes
|
(IDG) -- Carnegie Mellon University's CERT Coordination Center security advisory service instituted a new policy under which it plans to publicly disclose all software flaws and vulnerabilities 45 days after they're first reported to the organization -- regardless of whether the problems have been fixed by the vendors whose products are affected by the security holes.
The policy builds on CERT's usual practice of issuing periodic security advisories to its clients. Until now, such advisories have been restricted to vulnerabilties that the center considers to be particularly serious and in need of immediate attention by users. But as part of the new policy, CERT now will start issuing what are expected to be far more frequent "vulnerability reports" on all security problems that are reported to the center and are verifiably true.
| |||||||
CERT, which posted the details of the new policy on its Web site last week, said it will continue to pass on all relevant information about a specific security problem to the appropriate software vendor before making any public disclosures.
But after 45 days, the information will be released to the public along with any available fixes and workarounds that users can implement. Information about vulnerabilities that are considered particularly serious, or that would be easy for malicious attackers to exploit, will be released even earlier if the situation warrants an accelerated disclosure, said CERT member Shawn Hernan in an interview.
| MORE COMPUTING INTELLIGENCE |
IDG.net home page
|
| Computerworld's home page |
| Debate erupts over security holes |
| Microsoft scurries to fix Outlook hole |
| Unmasking network invaders |
| Reviews & in-depth info at IDG.net |
| E-BusinessWorld |
| TechInformer |
| Questions about computers? Let IDG.net's editors help you |
| Subscribe to IDG.net's free daily newsletter for IT leaders |
|
Search IDG.net in 12 languages |
| News Radio |
Fusion audio primers
|
|
Computerworld Minute
|
The idea is to provide software users with responsible, qualified disclosures while still giving vendors a reasonable amount of time to plug security holes, Hernan said. "The policy is really an attempt to balance the needs of the vendors with those of the general public," he added.
Meanwhile, the more selective security advisories that CERT currently issues will continue to be restricted to the most serious security problems and should be released at about the same pace as they are now, according to Hernan. CERT issued 17 advisories last year and has released about the same number so far this year. "When someone receives a CERT advisory, we want them to take it very seriously," he said.
CERT's plan to start making more frequent disclosures of software vulnerabilities comes at a time when some security experts are questioning the wisdom of releasing such information before vendors have a chance to fix the holes.
During a keynote speech at July's Black Hat Briefings security conference in Las Vegas, for example, security researcher Marcus Ranum charged that the full-disclosure approach isn't improving computer security. Instead, Ranum said, it's only encouraging more attacks -- a contention that was challenged by other conference attendees.
CERT will try to publish reports about as many vulnerabilities as necessary under its new policy, Hernan said. But in an attempt to minimize the possibility of attacks resulting from the disclosures, he added, the organization doesn't plan to publicly disclose any information that could be used by malicious hackers to exploit security holes.
CERT's change in policy is a step in the right direction, said Ryan Russell, an MIS manager at SecurityFocus.com, a rival online bulletin board and security portal based in San Mateo, Calif. Last year, the SecurityFocus site posted a total of 575 vulnerabilty reports.
"I'm firmly in the full-disclosure camp," Russell said. Giving users as much detailed information about vulnerabilities as quickly as possible helps companies take appropriate action to mitigate risks and protect themselves from attacks, he added.
RELATED STORIES:
FAA faces more criticism for computer security failings
September 29, 2000
Security experts seek to combat laptop theft
September 20, 2000
Can viruses be used for good instead of evil?
September 15, 2000
RSA releases computer security patent
September 7, 2000
Chinese company throws down gauntlet to hackers
August 28, 2000
RELATED IDG.net STORIES:
Microsoft Win2k telnet patch closes security hole
(Computerworld HK)
Debate erupts over security holes
(Computerworld)
Sun, Microsoft tackle security flaws
(InfoWorld)
E-Trade says password security hole is fixed
(The Industry Standard)
Check Point secures the enterprise
(InfoWorld)
Microsoft security patch plugs Money hole
(PC World)
Microsoft scurries to fix Outlook hole
(Computerworld)
Unmasking network invaders
(NW Fusion)
RELATED SITES:
CERT Coordination Center
Carnegie Mellon University
SecurityFocus.com
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.