Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Vendor Newsfeed

More Vendor Newsfeed »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

 
NetNews
N E W S / A N A L Y S I S  


Reducing Security Liabilities

  July 10, 2003
  By Mike Fratto


TOC Issue TOC
Printer Print full article
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author

The Organization for Internet Safety -- which includes Internet Security Systems, Microsoft, Network Associates, Oracle and @Stake as members--has devised guidelines for security bug hunters to follow when a vulnerability is found. The group states, "OIS recognizes that the processes will only be adopted if they represent the consensus of the security community." Unfortunately, OIS forgot to invite the very large community of independent researchers to the party.

Some fear that OIS will use the guidelines to silence researchers and disclosure mailing lists. Researchers perceive a threat because these guidelines can be deemed a standard that vendors can use to sue researchers for their findings. But it isn't a big threat: At best, guidelines such as these are viewed as best practices and can't, by themselves, be used effectively in civil or criminal courts because they aren't standards or laws.

This seems like a CYA move. The rumblings that vendors should be held financially or criminally liable for security vulnerabilities are getting louder, and one way vendors can fend off legal action is to show that they have taken reasonable care to remove or fix vulnerabilities. If vendors adhere to a set of published guidelines, it lends support to their argument that they are doing what they can to fix problems.

Post a comment or question on this story.


Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

  Sponsored Links

Premium Content

Next Generation Data Center, Delivered, November 17th
NWC


Salary

Video

View All Videos

Most Popular

Stories Blogs

More Stories »

Whitepapers

More »

BlogRoll