computerwoche.de

Archiv

GM security chief on vulnerability disclosures

27.04.2006
It's not every day that the Chief Information Security Officer (CISO) at the world's largest automaker gets to present a keynote talk at a hacker convention. So when General Motors Corp. CISO Eric Litt was asked to do precisely that at the European Black Hat Convention in Amsterdam earlier this year, he used the chance to reach out to the hacker community. His goal: present to the hackers his look at the problems large corporations face when dealing with software vulnerabilities -- and the manner in which they are disclosed and remedied. Litt spoke Wednesday with Computerworld about those same issues. Excerpts from the interview follow:

Why is this issue of vulnerability disclosure practices so important to you? If you are a CISO, you really are stuck in the middle between a bunch of different constituents that are out there. You have the researchers and the academic folks and then you have the software vendors -- and we have to deal with the cards that get dealt to us. Somebody releases off-the-shelf software and it has got vulnerabilities in it. If those vulnerabilities don't get plugged, I have to deal with the fact that I have vulnerable code in my environment. Then we have people out there who are trying to figure out how to hack into an environment or to exploit a vulnerability and they may be doing it for different ethical or non-ethical reasons. And I have to try and protect my environment.

In your opinion what should responsible vulnerability disclosure and remediation practices be about? I broke the problem into a bunch of different viewpoints when I did the Black Hat thing. If you take a look at the exploiter's view of the world, what's in it for them? What motivates them? Fame, fortune, curiosity and creativity. They want attention, they want money. If you look at the ethical researchers' world, they are out there motivated by the same things. The differentiator is what they do with the information they get. So as I sit here as the CISO of a large company, don't I want things to be discovered? Absolutely, because I want to make sure vulnerabilities are plugged. Don't I want people to be rewarded for the work they have done? Absolutely. If they are not rewarded on the clean side, they'll be rewarded on the dirty side. People always will find a way to get rewards.

So what is responsible disclosure. Suppose there's a vulnerability in some platform and you discover it right now and you go tell the world about it. Some researchers would say that's exactly what you should [do] because otherwise the vendor won't address it. And I say, 'Wait a minute. Time out. You are now telling people how I can be compromised and that's a big problem.' [On the other hand], you discover something and you tell vendor XYZ that there's a vulnerability in their product and they do nothing for 200 days, they simply are not responsive. What do you expect the researcher to do? So we haven't created between the vendor, the ethical researcher and the business consumer an environment that is synergistic and that we can all benefit from. I think it is doable, but I'm not sure anybody is really taking on that challenge.

How should vendors be responding to vulnerabilities that are discovered in their products? In an ideal world there wouldn't be any vulnerabilities and they wouldn't have to disclose anything. But that is not the world. Really critical vulnerabilities must be plugged immediately, whatever 'immediately' might be. On the other hand, what is critical? I think what you are seeing in the industry today is that most of the vendors are trying to be very conservative in their ratings of vulnerabilities. What they are really trying to do is limit the exposure that gets generated from them having had a vulnerability. As a vendor, if you call everything critical then you've covered your bases. You've said here's the vulnerability, here's the fix for it and you need to do it right away.