The model was formed to accomplish two goals:
??? Reduce the risk of software vulnerabilities by providing an improved method of
identification, investigation, and resolution.
??? Improve the overall engineering quality of software by tightening the security
placed upon the end product.
There is a controversy related to OIS. Most of it has to do with where the organization??™s
loyalties lie. Because the OIS was formed by vendors, some critics question their methods
and willingness to disclose vulnerabilities in a timely and appropriate manner. The root of
this is how the information about a vulnerability is handled, as well as to whom it is disclosed.
Some believe that while it is a good idea to provide the vendors with the opportunity
to create fixes for vulnerabilities before they are made public, it is a bad idea not to
have a predetermined time line in place for disclosing those vulnerabilities. The thinking
is that vendors should be allowed to fix a problem, but howmuch time is a fair windowto
give them? Keep in mind that the entire time the vulnerability has not been announced, or
a fix has not been created, the vulnerability still remains. The greatest issue that many take
with OIS is that their practices and policies put the needs of the vendor above the needs of
the community which could be completely unaware of the risk it runs.
Pages:
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172