Software Integrity

 

Naming vulnerabilities

The Badlock Bug announcement raises a few really interesting issues. The first and most important issue that we shouldn’t lose sight of is that software vulnerabilities, especially ones that affect widely used open source components like Samba, pose a very real threat. Finding these bugs by integrating security testing into the development process and throughout the software lifecycle is important. The best case scenario is eliminating them before software is released, but realistically you can’t catch them all. When vulnerabilities are discovered in the wild, they often require rapid and pervasive remediation efforts to preempt attacks so timing is critical.

The second and perhaps more fiercely debated issue right now is responsible disclosure. Security researchers and vendors have a responsibility to notify the appropriate stakeholders when they find a vulnerability so it can be addressed before details are revealed to public. In this case, it appears that SerNet began working with the Samba Team and Microsoft to resolve the problem some time ago. What’s interesting is that they made a big splash by branding the bug and going public with some of the details almost three weeks before the official disclosure and patches were scheduled to be released. A lot of the criticism in security circles today is that this announcement is a marketing stunt that not only challenges hackers to start poking around but gives them a pretty good idea where to start looking.

There were people who criticized Codenomicon, now part of Synopsys, for giving Heartbleed a name and a logo when we independently discovered it back in April 2014, so this situation feels somewhat familiar. The difference, of course, is that we didn’t make an announcement until after OpenSSL issued a patch and word had already started to spread from other sources. In our case, the clever name and logo definitely contributed to how much attention the bug received, especially among people outside the security profession. Our company got a lot of exposure too, but our efforts helped educate a lot of people and ultimately led to a greater awareness around software security. That’s a good thing. Branding the Badlock Bug may have a similar effect, and I hope that’s the case.