Conflict of Interest - My summary



One point of view that was raised whereby it could possibly be determined that an OS vendor providing security applications to protect it's OS was a conflict of interest is as follows:

"IMHO I think the fear has always been that as long as an OS was closed source, that company owning that OS could write or have inside knowledge of vulnerability information that would benefit or promote that security product more than another company. This could almost be classified like insider trading."

Whilst this statement is somewhat true, many of the security vendors offer up many other enterprise solutions to their customers that are not all about protecting the end user from an 'attack'.

Whilst the install base may not be as big as that of an OS Vendor, many of these enterprise solutions can be critical to the daily operation of a business. So any vulnerabilities found in these products, these security vendors can mitigate the risk at day zero by applying IPS / IDS signatures to their existing product range in the absence of a patch.

Are they likely to share this zero day information with their competition, I think not.

Also, is it really such a bad thing that an OS vendor who offers up Security Applications can immediately protect its customer base at almost day zero when a vulnerability has been reported to secure@xxxxxxxxxxxx by adding the protection capability within its Secuirity Apps. At this point the vendor knows their customers in the interim are protected, whilst they get down to examining the area of code for the flaw, determine if there are any more vulnerabilities and then produce a patch.

Another good example is Oracle, they have their Database Vault, which is 'designed' to add an additional layer of security to protect their database and their customer. This is clearly a responsible approach, but I do not hear any complaints or shouts of a conflict of interest by those that produce 'Database IDS / IPS' solutions.

There will always be the argument that an OS vendor should not charge for the OS and then charge for the additional security protection, but for some vendors, they may have no other alternative as it may pave the way for a lawyers banquet which they would most likely lose in the end. (I am no laywer, but one could easily forsee, every security vendor filing Anti-Trust law suits, they would have to, they need to protect their business and their shareholders)

There will also, always be the arguement from security vendors that (and lets be honest about it, they are only talking about Microsoft here), that MS should share zero day vulnerabilities with them so that they can offer the same level of protection within their security solutions. This is unlikely to ever happen (would they share their zero days with MS ?) Of all the applications out there, do they get zero day information from any other vendor such as Sun, IBM, HP, Apple etc, again I think not.

My original email, was to get a wider well informed view of opinions on the subject to determine if my belief was right / wrong.

So I guess my opinion in conclusion still stands, that ANY software vendor who looks to add additional layers of security (free or not), it (IMHO) is not a conflict of interest and serves the end user well. By what ever means necessary, it should be the responsibility of the vendor to include / offer increased 'peace of mind'.

Thanks to all those that contributed

All the best

Mark



Relevant Pages

  • Re: Conflict of Interest - My summary
    ... conflict of interest is as follows: ... vulnerability information that would benefit or promote that security ... Whilst the install base may not be as big as that of an OS Vendor, ... Applications can immediately protect its customer base at almost day zero ...
    (Bugtraq)
  • [NEWS] Wonderware SuiteLink Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ...
    (Securiteam)
  • [Full-Disclosure] Security Industry Under Scrutiny: Part 3
    ... > varying degrees of 'faith' in the security industry. ... site admins and other whitehats. ... > architect would be notifying the software vendor alone... ... Full disclosure isn't so much a tool to get vunerability information ...
    (Full-Disclosure)
  • [NT] Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass (MS0
    ... Get your security news from a reliable source. ... Internet Explorer Zone Elevation Restrictions Bypass and Security Zone ... Vendor Information, Solutions and Workarounds: ... Core sends an advisory ...
    (Securiteam)
  • RE: Vendor wants remote control of our Servers and Workstations
    ... Of course the age-old problem with security is that ... Vendor has significant access to your internal ... this vendor uses the same method to support a number ... customer and makes significant changes ... ...
    (Security-Basics)