Hiho,
Hey there pen-testers, take this with a grain of salt, it just got me
excited. I am really interested in everyones opinion on the matter or
corporate responsibility and ownership.
<RANT>
In an article posted to slashdot today
(http://it.slashdot.org/article.pl?sid=06/05/10/112259&from=rss) a man
*snip*
If I understand correctly the guy informed the customers about
the the security problem? Not the "owner" of the problem?
Although it seems that the company was aware that a problem exists.
But giving this information out to the customers is definitely
not the correct way to handle things.
The company is acting irresponsible as well by not fixing the
problem. Their opinion "he integrity of the system was impaired
because a lot more people (customers) now knew that the system
was insecure" is ridiculous. Once a security problem exists
the integrity is impaired whether few know about it or it is
known all over the world. One person is enough to compromise
a system. Of course, on the risk side you can calculate that
the more people know about the problem, the more likely it
is that someone is exploiting it. But knowing about a problem
betting on that none will notice is careless. Security by
obscurity never works for long.
And: Not the existence of security problems gives a company
a bad reputation. The way they handle their problems does.
Now to the pentesting side:
As a pentester, I will not lay my (virtual) hands on any computer
or application to explore/exploit it without a solid signed contract
permitting me to do so.
If I stumble over an odd behaving application by chance I may report
to the responsible people that something is odd and asked them to
fix it. I will not investigate any further unless a contract comes
up my way.
If I see that a reported problem still exists than this is bitter
... for the people who use that service. So what's about my
responsibility? Am I responsible for the security of the customers
because I know they are using a service that may impact their
security somehow? Although I already notified the owner of the
service that a problem exists? I don't think so. Although I
admit it leaves me feeling uncomfortable.
One thing one can try is to escalate the problem within that
company. But telling to their customers directly? No, that's no
way.
So what's about the last way: going public instead of informing
the victims directly? I think it depends on the problem and how
it is presented. Making people aware of security problems is
necessary. To keep information closed away is segregating the
wrong people. It's difficult to find the right way.
Cheers,
Christine Kronberg.
--
Shalla Secure Services
http://www.shalla.de
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
