Users Urge Disclosure of Security Flaws

IT managers want to know about holes in their systems ASAP, a Hurwitz Group survey shows. But there is little consensus about how to convince vendors to tighten code.
Two years ago, the Securities and Exchange Commission (SEC), at the urging of individual investors, adopted a "fair disclosure" rule barring insider stock transactions based on company news that has not yet been made public.

Current market turmoil notwithstanding, the regulation has given non-institutional shareholders a more complete picture of a company's fiscal health and prospects.

Now, IT security managers want openness too. Specifcally, they want to know what vulnerabilities exist among the millions of lines of code that run their databases, billing applications and servers -- and they want to know now.

A new survey of more than 300 users strongly supports prompt notification of potential problems: 39 percent said immediately, another 29 percent said within a week. The industry standard in reporting problems, if at all, is about a month.

"It was very surprising to me to see that people are so fed up that they are willing to take the risk (of broadcasting the flaw)," said Pete Lindstrom, a security analyst with Hurwitz Group, the Framingham, Mass., research firm, that conducted the survey.

One respondent fumed: "(Full disclosure) gives the competition an opportunity to really beat up the offending party. Now that can be an incentive to fix your software!"

Another acknowledged that software makers cannot be held 100 percent accountable for exploits, "but complete negligence" is evident from some companies and "should not be accepted."

Specific vendors were not named in the survey. Microsoft and Oracle recently disclosed problems and tend to attract the most publicity because of their size and the pervasivness of their products.

Vendors face the pressures of producing very complex applications, as well as needing to get those products to market before the competition, Lindstrom said.

The issue is complex and pits software vendors against consultants and hackers, with enterprises caught in the middle, Lindstrom said. Vendors are constantly probed by consultants and hackers seeking the slightest flaw, then must respond with patches. And the press pounces on every new glitch.

While IT managers agree that bugs are a serious and costly problem, they are unsure what the proper disclosure mechanism is. Many get information via an e-mail list, but such updates almost always leak to the press, who many feel overplay them.

More importantly, there is the question whether full disclosure will really make companies tighten their code and testing procedures. Some in the industry think the courts might have to be involved.

Heretofore, software makers have generally been shielded by product liability law. In boilerplate license agreements, buyers accept that they are buying the product "as is."

"I think we will soon see test cases in the courts to try to develop some requirements and standards for vendors," Lindstrom said. "It will be interesting to see whether those cases will be successful, and whether standards will ultimately solve the problem for end users."

But for the software industry, there is really no SEC-like authority to issue guidelines, and no way to know if mandatory reporting would accomplish the goal of making systems safer and software more polished.

So, until a standards road map for a standard is drawn, full disclosure will remain an intriguing, yet unproved idea. Until then, the current system will prevail, which one IT manager, speaking for the minority, summed up the debate like this:

"People are going to disclose what they disclose on a schedule that meets there needs. Get over it."

Editor's note: The complete Hurwitz Group report is sold through the company's Web site.

Comment and Contribute


(Maximum characters: 1200). You have characters left.