Users Urge Disclosure of Security Flaws

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Two years ago, the Securities and Exchange Commission (SEC), at the urging of individual investors, adopted a “fair disclosure” rule barring insider stock
transactions based on company news that has not yet been made public.

Current market turmoil notwithstanding, the regulation has given non-institutional shareholders a more complete picture of a company’s fiscal health and prospects.

Now, IT security managers want openness too. Specifcally, they want to know what vulnerabilities exist among the millions of lines of code that run their databases,
billing applications and servers — and they want to know now.

A new survey of more than 300 users strongly supports prompt notification of potential problems: 39 percent said immediately, another 29 percent said within a
week. The industry standard in reporting problems, if at all, is about a month.

“It was very surprising to me to see that people are so fed up that they are willing to take the risk (of broadcasting the flaw),” said Pete Lindstrom, a security analyst
with Hurwitz Group, the Framingham, Mass., research firm, that conducted the survey.

One respondent fumed: “(Full disclosure) gives the competition an opportunity to really beat up the offending party. Now that can be an incentive to fix your
software!”

Another acknowledged that software makers cannot be held 100 percent accountable for exploits, “but complete negligence” is evident from some
companies and “should not be accepted.”

Specific vendors were not named in the survey. Microsoft and Oracle recently disclosed problems and tend to attract the most publicity because of their size and the pervasivness of their products.

Vendors face the pressures of producing very complex applications, as well as needing to get those products to market before the competition, Lindstrom said.

The issue is complex and pits software vendors against consultants and hackers, with enterprises caught in the middle, Lindstrom said. Vendors are constantly
probed by consultants and hackers seeking the slightest flaw, then must respond with patches. And the press pounces on every new glitch.

While IT managers agree that bugs are a serious and costly problem, they are unsure what the proper disclosure mechanism is. Many get information via an e-mail
list, but such updates almost always leak to the press, who many feel overplay them.

More importantly, there is the question whether full disclosure will really make companies tighten their code and testing procedures. Some in the industry think the
courts might have to be involved.

Heretofore, software makers have generally been shielded by product liability law. In boilerplate license agreements, buyers accept that they are buying the product
“as is.”

“I think we will soon see test cases in the courts to try to develop some requirements and standards for vendors,” Lindstrom said. “It will be interesting to see
whether those cases will be successful, and whether standards will ultimately solve the problem for end users.”

But for the software industry, there is really no SEC-like authority to issue guidelines, and no way to know if mandatory reporting would accomplish the goal of
making systems safer and software more polished.

So, until a standards road map for a standard is drawn, full disclosure will remain an intriguing, yet unproved idea. Until then, the current system will prevail, which
one IT manager, speaking for the minority, summed up the debate like this:

“People are going to disclose what they disclose on a schedule that meets there needs. Get over it.”

Editor’s note: The complete Hurwitz Group report is sold through the company’s Web site.