Most parents will tell you that if you give a crying child candy to get him to be quiet, the crying may stop, but the child has learned an effective way to get candy whenever he wants it. The parent has rewarded bad behavior, and will pay a price down the road.
I recently discovered and reported a software vulnerability in an iOS app developed by a major financial services corporation. I found a case where sensitive customer information was being stored locally on the device without benefit of any real data protection; an attacker with access to the device could compromise the user's financial data in minutes.
I reported the vulnerability to the financial institution; I thought that was the right thing to do. I made sure the company took the problem seriously. I didn't threaten it with irresponsible disclosure, and I provided it with all the information it would need to verify the problem. It did, and it promised a fix. In less than two months, the fix was provided, and the software was updated on Apple's App Store.
I didn't want or seek any form of remuneration or recognition in doing this. I was grateful that the company took the problem seriously and fixed it. Nowhere in the publication of the software update did my name appear. I'm fine with that.
I can't help but think that's a more positive way of handling software vulnerabilities, on both sides of the equation.
But if a software organization shouldn't rely on the public to report vulnerabilities, what should it do? I'd suggest spending more time and money on security testing internally. Build and test it right in the first place. That's not foolproof, I know, and some vulnerabilities won't be caught before the software is released. But when that happens and someone else finds the vulnerability, we all deserve a better system than having to pay that person to disclose the problem. That is a flawed system, folks -- though I know that's not a popular opinion.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
Read more about application security in Computerworld's Application Security Topic Center.