Commentary: Rapid response is essential
Software vendors' attempts to restrict information on software vulnerabilities may reduce their embarrassment, but will also aid attackers and reduce security.
Back in the "Dark Ages" before the Internet, software vendors rarely acknowledged any security bugs in their products and often waited months to launch patched versions when such weaknesses were discovered.
When computers weren't exposed to
| |||
The Internet has changed all that. As Microsoft and other software vendors have learned with Web software, plenty of savvy attackers can find vulnerabilities in computer software and break into the more than 50 million computers that are exposed to the Internet today.
While the vast majority of attackers are unskilled "script kiddies" who take advantage of published vulnerabilities to craft their attacks, most attacks occur after the vendor releases the patch, not because someone released vulnerability information before the vendor developed the patch. Software vendors' attempts to restrict information on software vulnerabilities may reduce their embarrassment, but will also aid attackers and reduce security.
Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks. However, in the Internet Age, companies need rapid information about vulnerabilities in the software they are exposing to the Internet--to a large extent--to drive software vendors to produce software with fewer vulnerabilities. Companies also require this information to make informed decisions about immediate actions to take to protect their business and customer data.
Gartner believes that a software vendor should be provided at least two weeks to respond to a vulnerability with a patch or workaround before the information is made public and given another two weeks if additional time is required for regression testing of a patch. Any software vendor that cannot respond in that time should, in Gartner's opinion, not be selling software that will be exposed to the Internet.
(For a related commentary on security problems associated with Web servers, see Gartner.com.)
Entire contents, Copyright © 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.