Online security experts in legal gray area
Laws hampers the ability of online security experts do their job dilligently and effectively — not a good thing when the use of Web-based applications grows by leaps and bounds
You would think that those entrusted with making sure that online security is as robust as it can be would have wide lattitude in poking around and looking at things so that they can their job. You would, but you would be wrong. A new report by the San Francisco-based Computer Security Institute(CSI) says that online security research is hobbled by laws that could land researchers in prison for looking for Web site vulnerabilities, much less disclosing them publicly.
CIO Today’s Jennifer LeClaire reports that
The CSI study offers insights and discussions from security researchers, computer crime law experts, and representatives from law enforcement agencies. The current legal framework, the study found, makes it difficult to spot security flaws in next-generation Internet applications (e.g., Web 2.0 technologies) which are becoming ubiquitous. The report will be formally presented on 18 June at the NetSec ‘07 conference.
The study highlights an important topic, according to Michael Sutton, a security evangelist at Atlanta, Georgia-based SPI Dynamics and former director of VeriSign iDefense Labs. “We’re at a point where it is largely accepted that researchers have the right to test the security of applications they purchase and manage,” Sutton noted. In fact, companies such as Sterling, Virginia-based iDefense have built a business model around identifying vulnerabilities in third-party applications. As we move to Web-based applications, Sutton said, the structure of ownership has shifted and the legal right to test for vulnerabilities remains unclear: Consumers who use Web applications would be exposed if there was a vulnerability in that application, yet the end user has no right to test to gain assurance that the application is secure.
“We certainly can’t have the public attacking Web applications and claiming that they were simply protecting their own interests, yet at the same time we are setting a dangerous precedent by threatening legal prosecution whenever a good Samaritan attempts to report a security vulnerability in an online application,” Sutton concluded.
