Friday, January 19, 2007

On Vendor vs Hacker: A Useful Reminder on How World Works

This post serves as a useful reminder for folks who are stuck writing documents for compliance instead of dealing with security issues :-) (as well as others too)

"Consider this scenario: Hacker finds a vulnerability with a product from a vendor.

Vendor has access to all the source codes. Vendor has the knowledge about the functional design, architecture, bugs, future roadmap Et. Al. Moreover, a vendor has the money and other valuable resources.

Hacker does not have access to the source code in most cases. Hacker does not have all the details about the functional design, architecture, bugs, future roadmap Et. Al. Pragmatically speaking, a hacker is trying to break into a blackbox with limited resources."

The conclusion made by the author of the above is kinda questionable though:

"If a hacker finds a vulnerability in a product. I am more inclined to point finger at the vendor's sloppiness than heaping encomiums about the hacker's intelligence."

I would say "not always." Vendor is in the business of making money and leaving vulnerabilities (by means of not spending a fortune on security software testing) in the product might make some business sense. Thus, it is not always sloppiness. And, some vendor do make an extra effort, and thus those folks who discover vulns in their stuff are pretty darn intelligent...

No comments:

Dr Anton Chuvakin