In the current threat environment, vulnerability research is incredibly important. These findings can serve to better protect users and make software developers and vendors aware of flaws that could put sensitive information at risk of exposure. And with cyber attacks becoming more prevalent, one would think the industry would welcome any opportunity to mitigate the chances of hackers breaking into commonly-used programs.
Recently, however, there has been considerable controversy surrounding vulnerability research, particularly when it comes to the disclosure of teams' findings. A number of questions come up in these regards, including:
- What makes vulnerability research so critical?
- How should software vendors treat researchers' findings?
- When is it appropriate for vulnerability research teams to publish their findings for the public?
While the answers to one or more of these queries might seem obvious, there are some in the technology industry that are struggling with them, especially in the wake of findings being published pertaining to vulnerabilities in Microsoft products. In order to determine the best solutions, let's examine vulnerability research, its importance and the current controversy in the sector.
What is vulnerability research?
To ensure full understanding, let's begin with the basics. Vulnerability research encompasses the processes engineering teams use to pinpoint flaws in software programs that could lead to security issues, noted NetraGard. These efforts could include reverse engineering, static and code analysis along with an array of other initiatives to recognize program issues. However, information security expert Bruce Schneier noted that it is important that the team includes engineers with a specific expertise in security due to their unique point of view.
"Security engineers see the world differently than other engineers," Schneier wrote. "Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail, and how to prevent – or protect against – those failures."
Why is vulnerability research important in the technology and security spaces?
There are considerable benefits to be gleaned from vulnerability research. In addition to helping to mitigate the risks of hackers exploiting discovered program weaknesses, this research also assists security vendors to better protect their users. Trend Micro noted that with the information gleaned from vulnerability research, security vendors are also provided the opportunity to establish patches for recognized weaknesses and increasing their responsiveness to zero-day and N-day exploits.
"It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly," Trend Micro Threat Analyst Weimin Wu wrote.
In addition to assisting vendors create safer products and enhance protections of sensitive user information, NetraGard pointed out that in the current threat environment, if vulnerability researchers don't pinpoint and address software flaws, they will surely be exploited by cybercriminals.
"If you do not check the security of your technology, then you can rest assured that malicious hackers will," NetraGard stated. "Vulnerability research helps to identify and eliminate security flaws that might otherwise be exploited by malicious hackers. Successful exploitation can lead to system compromise, data loss, data corruption, theft of intellectual property, theft of sensitive data, loss of service and sometimes loss of life."
With these consequences serving as motivation, vulnerability researchers perform incredibly important work that impacts software developers, vendors and users around the world.
What's the problem with vulnerability research?
With the advantages of vulnerability research clear, one might wonder why controversy has erupted around these efforts. Wu noted that the recent publishing of vulnerabilities in Microsoft products, including Internet Explorer and Windows 8.1, caused a stir in the industry. The publications came from HP's Zero Day Initiative and Google's Project Zero, and were made public after the issues were not addressed within 90 days of them being reported.
"This has resulted in an argument between security researchers and software vendors on how vulnerabilities should be disclosed," Wu wrote. "A case where a vulnerability was disclosed without a patch has mixed results for end users: It pushes vendors to respond more quickly when vulnerabilities are disclosed to them in the future; however, it also increases the time window when attacks can be carried out using these unpatched vulnerabilities."
While the jury is still out on how discovered vulnerabilities should be treated by both researchers and software providers, it does not diminish the importance of the research itself.
The changing landscape of vulnerability research
In recent years, vulnerability has moved from a white hat hobby to a more pressing need within the industry. As the instances of cyberattacks continue to increase, users are increasingly aware that anyone can become a victim, Trend Micro noted. Because many attacks come due to zero-day exploits, the pressure is on to discover weaknesses and patch them as quickly as possible.
"This has resulted in both established security vendors as well as startups expanding their ability to discover vulnerabilities in applications and websites," Wu wrote. "In effect, the ecosystem surrounding vulnerability research has been changed by the need to deal with targeted attacks."
As the threat landscape continues to evolve, vulnerability research will become an increasingly key part of the security and technology sectors.