Open response to draft OIS proposal for handling vulnerabilities

From: Kenneth R. van Wyk (ken_at_VANWYK.ORG)
Date: 06/17/03

  • Next message: Chip Andrews: "Re: NetSDK vulnerable to SQL Slammer"
    Date:         Mon, 16 Jun 2003 21:27:30 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    As many of you NTBugtraq regulars probably know, the Organization for Internet
    Safety (OIS) recently posted a draft proposal for the safe disclosure of
    security vulnerabilities in software products. (The full proposal is at
    http://www.oisafety.org/process.html, FYI)

    In addition to having just finished writing an O'Reilly book on the topic of
    secure coding practices (http://www.securecoding.org), my co-author, Mark
    Graff, and I have each spent several years fighting vulnerabilites -- he as
    Sun's Security Coordinator and me as a Technical Coordinator at the Carnegie
    Mellon CERT/CC. We've seen at least two of the major perspectives of the
    "vulnerability circus" quite closely. As such, we feel quite strongly that
    the OIS proposal has some fundamental flaws at various levels, and have
    published an open response to it. For those interested, our response is
    available at http://www.securecoding.org/authors/oped/june102003.php

    Cheers,

    Ken van Wyk
    Co-Author, Secure Coding: Principles and Practices (O'Reilly, 2003)

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Free 14-day trial of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your free, no obligation 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Chip Andrews: "Re: NetSDK vulnerable to SQL Slammer"

    Relevant Pages