From: batz (batsy@vapour.net)
Date: Wed May 29 2002 - 13:27:40 EDT
On Tue, 28 May 2002, Alfred Huger wrote:
:http://www.nextgenss.com/news/vna.html
The statement could have been written more clearly. Comma's help
to delineate dependencies in a statement. Here's what I got out
of it:
- NGSSoftware does vulnerability research.
- Vendors have been slow to patch vulnerabilities.
- To make patch process more prompt, vendors will be given 1 week heads up
when vulnerabilities are discovered.
- After 1 week, the public will be alerted by NGSS.
- NGSS will provide a workaround to the public, unless that
workaround will provide exploitation details.
- NGSS will add a check for the vulnerability to vuln assessment software,
regardless of whether the check would disclose exploitation details.
- This process is consistent with ietf Christey-Wysopal draft.
- This process will make the patch process more visible by
providing a way for the public to see how long it took to write the
patch.
This process will keep some exploitation details away from the public, and
particularly, a minority of malicious members of the public.
Though obvious, it is worth noting that this process will only keep
exploitation details of vulnerabilities disovered by NGSS from the public,
and the underground will continue to write exploits for private distribution
until they are old enough to be hired as consultants.
Alfreds comments about how this will affect the pen-testing profession seem
to be based on the possibility that, advisories published by NGSS will cause
customers to want to be sure their pen-testers are checking for these
vulnerabilities. Without detailed information about these vulnerabilities,
pen-testers may not be able to check for them, which could lead to incomplete
assessments, and potentially, an further erosion of the credibility of the
profession.
NGSS has a solution to this problem, and that is their Typhon product, which
is made superior to all others through its exclusive access to vulnerabilities,
which have been discovered by the NGSS team.
So, pen-testers now are in the position where if they don't use Typhon, they
run the risk of overlooking serious vulnerabilities, and customers who
are made aware of NGSS VNA's will know that the only way to find
these vulnerabilities are through Typhon (or via the eventual vendor
patch release).
While I respect the skills of the crew over at NGSS, creating a cartel of
superior clue will not harm the pen-testing profession.
Here's why:
ISS tried this and (I suspect) found that their vulnerability R&D investment
wasn't the reason people were buying their product. They have the most
mature product on the market, despite the arguably more complete scanning
tools available for free. Even ISS has moved twards a managed service
business model where their vulnerability scanner is only a complement to
their core IDS business. 0-day x-f0rce scanner checks haven't damaged
the credibility of good pen-testers, or even provided convincing enough
value-add to undermine Nessus as the choice of some very credible managed
security firms.
NGSS's process is a way to make vulnerability R&D finally pay for itself,
because they know that being simply being elite doesn't mean much to
the managers and CFO's making purchasing decisions. The only value add
that there is in a competetive market like security software/services
is proprietary technology, and a means to protect that advantage. Spending
their expensive R&D resources to get props on bugtraq or at blackhat won't
keep them fed, despite the community value of doing so.
NGSS does not have a monopoly on clue. While they have some really smart
people, they assert that other people will and do discover vulnerabilities
in paralell. This has been, and will continue to be, true of
widely deployed applications like Bind, JRun, Oracle, SSH, and others.
And finally (this is getting long) the main reason this will not undermine
the rest of the pen-testing profession, is that the value to the customer
of a pen test is not the arsenal of exploits available to prove the
vulnerabilities exist, it is the credibility of the consulntant who tells
them what they need to do to fix them. The credibility of a consultant
is seldom related to their toolkit. That most of their tools are already
publicly available is evidence of this.
Also, NGSS (if they are smart) will focus their vulnerability research
on the most widely deployed applications with the highest risk, to provide
the most value to their customers. If you are a consultant actively engaged
in doing vulnerability research, I would advise you give up on that elite
Plan 9 emmulator exploit, and do the same if you are concerned about making
the Internet more secure.
Otherwise, I wholeheartedly encourage the rest of you to get some liquor,
some amphetamines, and start hacking, because NGSS's annoucement means that
pen-testers will no longer be freely benefitting from the exploit code from
the 10 or so people they have writing it. It will be interesting to see
if anyone notices.
Cheers,
-- batz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT