Commentary: Rapid response is essential

By John Pescatore, Gartner Analyst

Back in the "Dark Ages" before the Internet, software vendors rarely acknowledged any security bugs in their products and often waited months to launch patched versions when such weaknesses were discovered.

When computers weren't exposed to

	See news story: Hacker watchdog group in the works

the Internet, that practice was acceptable and reduced a vendor's cost of launching multiple patched releases of its software to address multiple bugs. Still, it was a glaring example of "security through obscurity"--the software continued to be vulnerable, and vendors relied on no one finding the weaknesses and no one being able to access the susceptible computers.

The Internet has changed all that. As Microsoft and other software vendors have learned with Web software, plenty of savvy attackers can find vulnerabilities in computer software and break into the more than 50 million computers that are exposed to the Internet today.

While the vast majority of attackers are unskilled "script kiddies" who take advantage of published vulnerabilities to craft their attacks, most attacks occur after the vendor releases the patch, not because someone released vulnerability information before the vendor developed the patch. Software vendors' attempts to restrict information on software vulnerabilities may reduce their embarrassment, but will also aid attackers and reduce security.

Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks. However, in the Internet Age, companies need rapid information about vulnerabilities in the software they are exposing to the Internet--to a large extent--to drive software vendors to produce software with fewer vulnerabilities. Companies also require this information to make informed decisions about immediate actions to take to protect their business and customer data.

Gartner believes that a software vendor should be provided at least two weeks to respond to a vulnerability with a patch or workaround before the information is made public and given another two weeks if additional time is required for regression testing of a patch. Any software vendor that cannot respond in that time should, in Gartner's opinion, not be selling software that will be exposed to the Internet.

(For a related commentary on security problems associated with Web servers, see Gartner.com.)

Entire contents, Copyright © 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.