Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: David Litchfield (david@ngssoftware.com)
Date: Wed May 29 2002 - 14:25:16 EDT


> The statement could have been written more clearly. Comma's help
> to delineate dependencies in a statement. Here's what I got out
> of it:
>
> - NGSSoftware does vulnerability research.
> - Vendors have been slow to patch vulnerabilities.
> - To make patch process more prompt, vendors will be given 1 week heads up
> when vulnerabilities are discovered.
> - After 1 week, the public will be alerted by NGSS.
> - NGSS will provide a workaround to the public, unless that
> workaround will provide exploitation details.
> - NGSS will add a check for the vulnerability to vuln assessment software,
> regardless of whether the check would disclose exploitation details.
> - This process is consistent with ietf Christey-Wysopal draft.
> - This process will make the patch process more visible by
> providing a way for the public to see how long it took to write the
> patch.

A fairly good summation, however....

>
> This process will keep some exploitation details away from the public, and
> particularly, a minority of malicious members of the public.
>
> Though obvious, it is worth noting that this process will only keep
> exploitation details of vulnerabilities disovered by NGSS from the public,
> and the underground will continue to write exploits for private
distribution
> until they are old enough to be hired as consultants.

This comment (and some which follow) indicate you've missed on of the key
points. When the vendor does release a patch NGSSoftware will follow up with
full details as normal. The VNA is not intended to replace our normally full
advisory - it simply exists as an interim solution to 'help' ensure vendors
release patches in a timely fsahion.

> Alfreds comments about how this will affect the pen-testing profession
seem
> to be based on the possibility that, advisories published by NGSS will
cause
> customers to want to be sure their pen-testers are checking for these
> vulnerabilities. Without detailed information about these vulnerabilities,
> pen-testers may not be able to check for them, which could lead to
incomplete
> assessments, and potentially, an further erosion of the credibility of the
> profession.

Again this is counteracted by the follow up advisory - see above. The
pentest community will still get the full information so they can provide
their customers with details of these vulnerabilities. It is not and never
has been the intent of NGSSoftware or the guys that make up the company to
'horde' our research and keep it to ourselves.

> NGSS's process is a way to make vulnerability R&D finally pay for itself,
> because they know that being simply being elite doesn't mean much to
> the managers and CFO's making purchasing decisions. The only value add
> that there is in a competetive market like security software/services
> is proprietary technology, and a means to protect that advantage. Spending
> their expensive R&D resources to get props on bugtraq or at blackhat won't
> keep them fed, despite the community value of doing so.

By putting these checks in Typhon, which we've always done, we buy a week or
two advantage over something like Nessus.

Hope this clears things up.
Thanks,
David Litchfield
http://www.ngssoftware.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT