What's your take on the full disclosure of vulnerabilities?
If full disclosure includes releasing working source code that exploits the vulnerability, I'm not so sure I support it after what happened to David Litchfield - the release of the recent Sapphire worm that used his code. I think sensible disclosure needs to occur - alerting the vendor/maintainer in advance and giving them an opportunity to address the problem. Unfortunately, aggressive disclosure is sometimes the only motivation to encourage software giants to correct their problems.
Too, you may want to question the motivation and methods behind the disclosure. It sometimes seems that disclosure is not always done for the noblest reason - alerting of vulnerabilities and stimulating fixes. Depending on the visibility and popularity of the software related to the disclosure, there can be a lot of publicity surrounding the individual or company making the disclosure. Ironically, some of these companies sell products or services to aid you in your quest for perfect security.
Based on your experiences, do you find proprietary software or open source software to be more secure?
Truthfully, I don't know statistically which is more secure - you would tend to say that if Microsoft is representative of proprietary software then proprietary software is less secure than the its open source counterparts. But, is Microsoft considered less secure because everyone and his brother is pounding on it or it is more ubiquitous than other software? I don't know the correct answer; I just know that I prefer the open source model.
My closest reference to the controversy is Snort, the open source IDS. Snort is in a unique position because it is a collective open source effort that has probably literally hundreds, if not thousands of eyes scrutinizing the code and improving it. I realize that not all open source garners as much attention or interest as Snort, but because of the group development model and intelligent direction provided by Marty Roesch, you have an excellent source code offering. This makes it hard for the proprietary offerings to compete with Snort because of the ready pool of free talent and resources available.
What advice would you give to people starting to learn about intrusion detection?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.