Open response to draft OIS proposal for handling vulnerabilities

From: Kenneth R. van Wyk (ken_at_VANWYK.ORG)
Date: 06/17/03

Next message: Chip Andrews: "Re: NetSDK vulnerable to SQL Slammer"

Previous message: knapier_at_CONNECTURE.NET: "Re: NetSDK vulnerable to SQL Slammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 16 Jun 2003 21:27:30 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

As many of you NTBugtraq regulars probably know, the Organization for Internet
Safety (OIS) recently posted a draft proposal for the safe disclosure of
security vulnerabilities in software products. (The full proposal is at
http://www.oisafety.org/process.html, FYI)

In addition to having just finished writing an O'Reilly book on the topic of
secure coding practices (http://www.securecoding.org), my co-author, Mark
Graff, and I have each spent several years fighting vulnerabilites -- he as
Sun's Security Coordinator and me as a Technical Coordinator at the Carnegie
Mellon CERT/CC. We've seen at least two of the major perspectives of the
"vulnerability circus" quite closely. As such, we feel quite strongly that
the OIS proposal has some fundamental flaws at various levels, and have
published an open response to it. For those interested, our response is
available at http://www.securecoding.org/authors/oped/june102003.php

Cheers,

Ken van Wyk
Co-Author, Secure Coding: Principles and Practices (O'Reilly, 2003)

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Free 14-day trial of New Threat & Vulnerability Notification Service

TruSecure's new IntelliShield(tm) web-based threat and vulnerability
service isn't your typical alert service. Supported by TruSecure's vast
intelligence resources - including the ICSA Labs - IntelliShield's early
warning, analysis, decision support, and threat management tools provide
organizations with unmatched intelligence to better protect critical
information assets. Experience it for yourself - just click below to begin
your free, no obligation 14-day trial today!

http://www.trusecure.com/offer/s0074/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Next message: Chip Andrews: "Re: NetSDK vulnerable to SQL Slammer"

Previous message: knapier_at_CONNECTURE.NET: "Re: NetSDK vulnerable to SQL Slammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Windows Updates not available
... Update Available for Security Vulnerabilities in Scriptlet.Typelib and Eyedog ActiveX Controls ... "DHTML Edit" Vulnerability This update eliminates a vulnerability in DHTML Edit control, ...
(microsoft.public.security)
Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines
... Its so vendor oriented that doesnt address the case where they ... The process assumes that nobody knows about the vulnerability ... (fix, advisory etc). ... >> lists to participate in the ongoing public review of the OIS Security ...
(Bugtraq)
[Full-Disclosure] Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines
... Its so vendor oriented that doesnt address the case where they ... The process assumes that nobody knows about the vulnerability ... (fix, advisory etc). ... >> lists to participate in the ongoing public review of the OIS Security ...
(Full-Disclosure)
Re: Public Review of OIS Security Vulnerability Reporting and ResponseGuidelines
... Its so vendor oriented that doesnt address the case where they ... The process assumes that nobody knows about the vulnerability ... (fix, advisory etc). ... >> lists to participate in the ongoing public review of the OIS Security ...
(Full-Disclosure)
Re: NetSDK vulnerable to SQL Slammer
... Engine (MSDE). ... NetSDK vulnerable to SQL Slammer ... Free 14-day trial of New Threat & Vulnerability Notification Service ...
(NT-Bugtraq)