Security Round Table – Episode 3 – Liability for Vulnerabilities and Responsible Reporting
I am excited to present to you the SRT’s third episode. The goal of these podcasts is simple: bring together podcasters and occassional guests to discuss important security topics. This episode had some great (read: diverse) representation as we tackled the issue of who should be responsible for vulnerable code and “good practices” around notification, patching and the like.
This podcast went a bit longer than planned, and I suspect we could have kept talking all night long! I personally learned quite a bit and enjoyed the opportunity to explore some of these issues and hear different perspectives. I hope you enjoy it too!
Joining us on this effort was:
Martin McKeay (The Network Security Podcast)
Paul Asadoorian (Pauldotcom Security Weekly)
Jamal Khan (Hdaar Security Radio)
Alan Shimel (Still Secure, After All These Years)
Ron Woerner (Security Catalyst Contributor)
Ideas? Comments? Suggestions? securitycatalyst@gmail.com
Michael (The Security Catalyst)
I have enjoyed listening to your discussion on whether and when to disclose vulnerabilities to the public. I recommend the article “Is finding security holes a good idea?” by Eric Rescorla. He is taking an objective take on the issue looking at a cost analysis of the different scenarios.
I know that roundtables can be difficult but some of the rants were very biased. It’s the old school, if you defend Microsoft, you’re not a true techy. You can love *nix and appreciate what Microsoft does. For example, look at McAfee. In Feburary, they discovered and patched a vulnerability in EPO. Last month, a third party finds the hole and announces it. This requires McAfee to scramble for press releases to get the word out. A regular update cycle could of helped remedy this.
Imagine how much better Linux would be if a regular release schedule was available?
Overall you guys are doing well, I just get the idea that Martin is about 80% B.S. and 20% in over his head. Just my opinion…
I’m not sure if my last post went through.
I enjoyed the podcast but am getting kind of sick of people not being able to lose their objectivity. They have such a built in hatred for Microsoft that they can’t recognize where they were and where they are. The old-school, if you don’t wet yourself when you hear *nix, is really short-sighted. The fact is Microsoft is here to stay. Their patch schedule is a great idea and is saving enterprises lots of money and allowing them to better calculate risk.
As Alan said, on a vulnerabilities to user ratio, Microsoft is a better solution for most. The OS is easier to patch and not that bad. I will always have an affinity for my *nix flavors, but I know my endusers and CEO will always make me have to support Microsoft. With that being said, I think that with it being a necessary evil, it’s good to have a reliable patch schedule.
Also as far as the format goes, I really enjoyed a lot of what everyone had to say, with the exception of Martin. He is a bit long winded and doesn’t really offer anything new or relevant to the conversation. He’s about 80% B.S. and 20% over his head.