Additionally, it was discovered that, generally speaking, the lowest level of vendor
security professionals work in maintenance positions, which is usually the group who
handles vulnerability reports from finders. It was concluded that a lower quality of
patch would be expected if this is the case.
Vulnerability after Fixes Are in Place
Many systems remain vulnerable long after a patch/fix is released. This happens for several
reasons. The customer is continually overwhelmed with the number of patches,
fixes, updates, versions, and security alerts released every day. This is the reason that
there is a maturing product line and new processes being developed in the security
industry to deal with ???patch management.??? Another issue is that many of the previously
released patches broke something else or introduced new vulnerabilities into the environment.
So although it is easy to shake our fists at the network and security administrators
for not applying the released fixes, the task is usually much more difficult than it
sounds.
iDefense
iDefense is an organization dedicated to identifying and mitigating software vulnerabilities.
Started in August 2002, iDefense employs researchers and engineers to uncover
Chapter 3: Proper and Ethical Disclosure
67
PART I
potentially dangerous security flaws that exist in commonly used computer applications
throughout the world.
Pages:
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195