Government plans to issue early warnings of software
vulnerabilities have been welcomed by John Meakin, group head of
information security at Standard Chartered Bank and founder member
of open standards user group the Jericho Forum.
The move would give firms with large international networks
valuable extra time to fix their systems, he said.
Meakin is not happy with the current system, under which IT
directors are kept in the dark about vulnerabilities while
suppliers develop patches.
"The critical issue for all firms at the moment is that the time
between a vulnerability being announced and an exploit being
released on the web is shrinking. If the NISCC can deliver, it
might just help us be better prepared for when the exploit finally
comes out," he said.
"I am very uncomfortable with the current situation where we have a
group of people, including the supplier and the security
researcher, who may be aware of the vulnerability for six or nine
months before people like myself in the front line of security in
an organisation get any inkling."
Meakin said the NISCC's plans, if they worked, would be
particularly helpful in advising companies of vulnerabilities that
were unlikely to be patched because they are regarded as features
of the product.
Stuart Okin, UK head of security at Microsoft, said, "General
sharing of best practice and locking down configuration
vulnerabilities is absolutely essential for a safe world. That is
why we support the NISCC and the work that it is doing."