Disclosure: Security Pros Want Flaw Information Sooner

More than 10 software vulnerabilities are discovered each day. These flaws in operating systems and business applications make it easier for hackers to use worms and viruses to attack business-technology systems. Overall, the number of vulnerabilities discovered in 2003 (3,784) was down from 2002 (4,129), according to the CERT Coordination Center, an Internet security group. But each vulnerability must be looked at, analyzed, and fixed.

In most cases, a vulnerability is quietly reported to a software vendor, which then develops a patch to fix the security hole. Both the vulnerability and the patch are disclosed at the same time.

But some security-technology professionals don't want software vendors to wait until they've developed a patch before revealing that a flaw exists.

Around 70% of the 7,000 business-technology and security pros who participated in the InformationWeek Research 2004 Global Information Security Survey say they want software vendors to disclose vulnerabilities immediately upon discovery. About a third say vendors should disclose a vulnerability once a patch is developed, while about 2% say there's no need ever to disclose a vulnerability.

"There are certain steps you can take to mitigate the risk of the flaw" once you know about it, says Bob Justus, senior VP of corporate information security and IS/IT contingency at Union Bank of California. "We could limit certain services that are at risk, conduct more monitoring, or create firewall policies."

Others argue that early disclosure of software flaws could place systems at greater risk of attack. "They're making an assumption that they can do something to mitigate the risk posed by the vulnerabilities," says Pete Lindstrom, research director at Spire Security. "But if they can't, then their exposure to risk is greatly increased."

Consider this: All of the major computer worms, from Code Red to Sasser, hit the Internet after the vulnerability and a patch to fix it were disclosed. It took months after a vulnerability was disclosed for the SQL Slammer worm to hit the Net, but only days for the Witty worm.

"I think there are different avenues for announcements," Justus says. Software vendors, for example, could give vulnerability information to customers under confidentiality agreements, he says. Justus adds that he'd "rather know sooner than later. I can do things operationally or do more manual monitoring" to protect his systems.

Illustration by Christoph Niemann Return to main story: "Under Attack"

Continue to the sidebar: "Outsourcing: Not When It Comes To Security, Most Say"