How is it that Mozilla, Apple, and others have, for so long, gotten away with claiming moral superiority in the security space over Microsoft? I’m not here to defend some of the obvious shortcomings that Microsoft has had related to security; but it seems that Microsoft’s rivals made security a marketing platform – bad move, IMHO. In the meantime, Microsoft has been heads-down working to try to improve their security posture and image. With Vista, I believe that they’ve been at least partially successful with both goals.
The core issue every company faces is that programmers are humans. We are flawed creatures who create flawed systems. I don’t think that can ever be overcome. So, the more complex the project, the more errors (vulnerabilities) will exist. Further, the bigger the target (i.e. Microsoft), the more vulnerabilities that will be found.
So, back to my initial query – how is it that other vendors attempt to claim moral superiority? The Month of Apple Bugs (MOAB) must have been a major embarrassment for the folks at Apple. Mozillxa’s Firefox (which I use – by the way), has certainly had its share of security issues. Even everyone’s friend, Google, has had issues. And it’s even worse when our security products are proven to be vulnerable.
Again, from my perspective, it is understandable that there are security issues with these products -- but don’t make a marketing platform out of something that simply doesn’t exist.
We have to realize that NO vendor is immune from security issues. Vendors who claim that their products are ultra-secure and who are subsequently proven wrong should be taken to task. I wouldn't necessarily make a "false advertising" or "unfair trade practice claim"...but someone who got burned via a security bug in an allegededly "superior" product might have different thoughts...
Where do we go from here? The best advice I have is to approach all vendor claims with a healthy dose of skepticism. If you are in the middle of getting a master license agreement in place, make sure that you have contractual provisions related to your expectations with regard to security, patch availability, source code auditing, and so on. Granted, depending on the size of your organization and who you are negotiating with, you may be limited here. But the key is that you want to extract some level of accountability.
Thoughts?
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
WEBCAST
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
There clearly are things that one can do to reduce vulnerabilities, but, as you point out, no product of significant complexity can be totally secure. What does differentiate companies is their treatment of vulnerabilities. Some companies publish their vulnerability policies while others do not. Now, of course, publishing a weak vulnerability policy (eg: "We'll get around to fixing it sometime.") is still better than not disclosing the vulnerability treatment or not following it.
If a company advertises their policy for dealing with vulnerabilities and don't follow it, they can be guilty of false advertising and potentially even liability stemming from the vulnerabilities. Furthermore, with publication of the vulnerability policy, a buyer has some idea of what they are getting into.
There are many companies, including some that I'd bet your company and your bank use, that do not claim any degree of responsiveness once a vulnerability is made public. Some of these companies have had known vulnerabilities that allow remote arbitrary code execution for many months. (Sorry for the crypticness but I neither want to single out a company nor open myself for libel.)
As you point out Perry, it makes no sense to demand perfect programs, but it does make sense to demand appropriate handling once vulnerabilities are found. To achieve this, you must have understanding of how vulnerabilities are looked for internally, what external sources the company uses, how customers can report vulnerabilities (a public email address listed on the web site that is open for vulnerability submission by customer and non-customer alike is a good sign), etc...
Neil Smithline
But I think it is also self punishing as people love to prove these claims wrong and generally do a pretty effective job of it. You missed another obvious example though. I cringed at "unbreakable" Oracle.
Post new comment