Silence of top security voices a cause for concern

Two of the top Web Security researchers have admitted that as their businesses grow, they will be reporting and sharing less.

Remaining platform and technology agnostic in Information Security is a progressively more difficult task as people and companies develop the skills and abilities to form professional fee-based relationships with the vendors that they previously reported about.

Two of the biggest names in Web security, RSnake (Robert Hansen) and Jeremiah Grossman, have recently bemoaned the fact that, since the development of their business interests, they have found that their fee-based relationships with a number of companies is preventing their open reporting of security issues that they would have openly reported on previously.

This isn't all that surprising, given the common use of Non Disclosure Agreements and other measures to limit the distribution of sensitive information, but for people who have found it normal to speak openly and freely on whatever material they choose, it is an introduction to the world of business that sometimes grates.

It might be seen as a growing up process for individuals and the wider industry, but it is going to have a direct impact on the information that is published openly for review and consideration. Both have admitted that as time goes on the quality and quantity of information being published by themselves will only decrease. It marks the compromise between releasing information openly and needing to be fed, clothed and housed.

The alternative for them is to exit their professional services and make security writing their full time occupation, though that is something that they aren't really willing to do.

The Information Security threat picture may have worsened in the years since they began, but the open sharing of information has helped the defenders at least keep touch with the attackers as more and more information is placed in the open.

Attackers aren't bound by the same rules of limiting their disclosure or sharing of information and this is their greatest competitive advantage. It is assured that threats to data and systems are going to get much worse before they are going to get better. While there is more awareness of security as an integral part of development, deployment, and administration, there will always be new holes discovered that risk catastrophe. Improvement is taking place, but it will never get to the point that the online environment or networked data could ever be considered 'safe'.

Others will step forward to take on the mantle of quality information source, but it will take some time for those people to emerge from the crowd and establish their reliability and credibility. Abuse and criticism from the uninformed and the unaware that is directed at many who share information can lead to valuable sources of information drying up and for people to leave the field completely. When some disclosure is very ethically dubious - is an XSS competition going to cause more harm than good, for example -- some of this criticism is well founded. Overall, the greater benefit generally outweighs the other ethical concerns. When you are on the receiving end of misdirected vitriol it can be difficult to see the big picture at times.

That credibility and reliability doesn't come straight away and the field is difficult enough as it is getting the information right takes a fair bit of hard work. Dave Aitel (of ImmunitySec) complains about the gulf between what academia release and what the industry understands and does. It is accepted that a top quality programmer may be a hundred times more productive than an average programmer. The same holds true with Information Security research - the top researchers are far more productive than the average, significantly more than would be expected. When one or two of the top researchers effectively stop releasing information, it isn't a simple matter to find their replacements. The big problem comes with identifying the published research that is relevant, which is difficult when most of the industry doesn't understand the concepts being published despite being called on to critically assess and weight that information - though that is a communication problem that can be addressed.

There are still some companies that celebrate their independence from external sources, and there are those that happily give up some of that independence in exchange for a commercial relationship.

In the interests of disclosure, I am an Information Security researcher who has taken the opportunity to use professional writing as an opportunity to help improve the awareness of Information Security issues in the wider market as well as the quality and accuracy of reporting on those issues. The only thing that I won't write about is what my company does, is, or sells.

Join the newsletter!

Error: Please check your email address.

More about SecurityFocusWeb Security

Show Comments
[]