Re: Conflict of Interest - My summary
my summary:
conflict of interest==fear of loosing the business!
On 3/18/07, Mark Litchfield <Mark@ngssoftware.com> wrote:
> One point of view that was raised whereby it could possibly be determined
> that an OS vendor providing security applications to protect it's OS was a
> conflict of interest is as follows:
>
> "IMHO I think the fear has always been that as long as an OS was closed
> source, that company owning that OS could write or have inside knowledge of
> vulnerability information that would benefit or promote that security
> product more than another company. This could almost be classified like
> insider trading."
>
> Whilst this statement is somewhat true, many of the security vendors offer
> up many other enterprise solutions to their customers that are not all about
> protecting the end user from an 'attack'.
>
> Whilst the install base may not be as big as that of an OS Vendor, many of
> these enterprise solutions can be critical to the daily operation of a
> business. So any vulnerabilities found in these products, these security
> vendors can mitigate the risk at day zero by applying IPS / IDS signatures
> to their existing product range in the absence of a patch.
>
> Are they likely to share this zero day information with their competition, I
> think not.
>
> Also, is it really such a bad thing that an OS vendor who offers up Security
> Applications can immediately protect its customer base at almost day zero
> when a vulnerability has been reported to secure@whatever.com by adding the
> protection capability within its Secuirity Apps. At this point the vendor
> knows their customers in the interim are protected, whilst they get down to
> examining the area of code for the flaw, determine if there are any more
> vulnerabilities and then produce a patch.
>
> Another good example is Oracle, they have their Database Vault, which is
> 'designed' to add an additional layer of security to protect their database
> and their customer. This is clearly a responsible approach, but I do not
> hear any complaints or shouts of a conflict of interest by those that
> produce 'Database IDS / IPS' solutions.
>
> There will always be the argument that an OS vendor should not charge for
> the OS and then charge for the additional security protection, but for some
> vendors, they may have no other alternative as it may pave the way for a
> lawyers banquet which they would most likely lose in the end. (I am no
> laywer, but one could easily forsee, every security vendor filing Anti-Trust
> law suits, they would have to, they need to protect their business and their
> shareholders)
>
> There will also, always be the arguement from security vendors that (and
> lets be honest about it, they are only talking about Microsoft here), that
> MS should share zero day vulnerabilities with them so that they can offer
> the same level of protection within their security solutions. This is
> unlikely to ever happen (would they share their zero days with MS ?) Of all
> the applications out there, do they get zero day information from any other
> vendor such as Sun, IBM, HP, Apple etc, again I think not.
>
> My original email, was to get a wider well informed view of opinions on the
> subject to determine if my belief was right / wrong.
>
> So I guess my opinion in conclusion still stands, that ANY software vendor
> who looks to add additional layers of security (free or not), it (IMHO) is
> not a conflict of interest and serves the end user well. By what ever means
> necessary, it should be the responsibility of the vendor to include / offer
> increased 'peace of mind'.
>
> Thanks to all those that contributed
>
> All the best
>
> Mark
>
>
--
---------------------------------------
http://www.secgeeks.com
get a blog on secgeeks :)
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secgeeks.com/node/feed
Submit you security articles,send them to secgeek@secgeeks.com
http://www.newskicks.com
Submit and kick for new stories from all around the world.
---------------------------------------
討論串 (同標題文章)