Ivan Arce, chief technology officer of Core Security Technologies in Boston, is a big proponent of penetration testing as a way for companies to find and fix their vulnerabilities. In fact, that's one of his company's main specialties. But what does he think of vulnerability disclosure in the public domain? Is he a fan of all the hacking contests and "month-of" flaw disclosure projects that have dominated news headlines in recent months? Arce explains why he thinks hacking contests and public vulnerability disclosure projects do little to improve IT security.
Ivan Arce: I'm not familiar with the internal security process of TJX, but in general, if you do penetration testing as a regular part of the process and you act on the results, your security posture will continue to improve over time. It might not prevent incidents like what happened [to TJX], but it can help.
Based on your customers' use of Core's penetration testing tools, what are the most common vulnerabilities that threaten companies today?
Arce: It's definitely the client-side and application vulnerabilities under the control of inexperienced or unaware users. Browser bugs and email attacks are examples, where the user clicks on a malicious URL. All it takes to break into an otherwise secure network is for a user to click on a malicious email attachment or visit a malicious Web site.
Is there any one browser that you see as more secure than others?
Arce: You have to take the market share of each browser into account. I personally don't use Internet Explorer. I think it has evolved with a lot of security improvements but it's still a very huge and complex program with many different components that do a lot of different things. But every browser nowadays will do things like that. But obviously the attackers will go for the one with the largest market share, which is Internet Explorer. So I try to stay away from it.
Which browser do you use?
Arce: In general, my comments applied to most software vendors. Not many people know what goes on between the times a vulnerability is reported to the vendor and when a patch is released. Overall, the process isn't very transparent. Most vendors and vulnerability researchers don't always provide as many technical details about the process to the user community as they should.
For a lot of researchers who might not feel a vendor is responsive or quick enough, the answer has been to have these various "month-of" flaw disclosure projects. Do you think this is the right way to motivate the vendor to act more quickly?
Arce: I think it's mainly a PR marketing effort rather than a systematic attempt to improve security and find vulnerabilities. It shouldn't be about lighting fires under the vendor. It should be about thinking about the end user who is vulnerable. I'm not sure these projects leave them in a safer position.
Another trend in the research community is the hacking contests like one last month where a researcher received a $10,000 prize for hacking a Mac. Is that something that's useful or should the vendor always be given time to develop a patch first?
Arce: In the case of the ConSecWest contest, there was work with the vendor (Apple) and the patch came out very quickly. As for the cash prizes for finding and disclosing bugs, I don't think it's the right approach to improve security. The right thing to do is adopt a scientific methodology for research, providing information that can be tested and repeated by someone else, provide peer reviews of information and follow a set of steps. We should focus on that instead of trying to build a market for vulnerabilities.
This was first published in June 2007