[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vendor-driven Mac-specific security incident response document



    Thought I'd pass this along; whole thread is available on
    http://www.zocalo.net/mac-security.  I'd really rather not see a
    mac-specific document be prepared in parallel with the general
    vendor-expectations and GRIP stuff.

    Any suggestions for integrating this effort into the working
    group efforts?
      
                             -Bill 
    
______________________________________________________________________________
bill woodcock woody@zocalo.net woody@nowhere.loopback.edu user@host.domain.com





>Date: Mon, 1 Sep 1997 16:52:07 -0700
>To: mac-security@zocalo.net
>From: Bill Doerrfeld <bill@blueworld.com>
>Subject: Proposal For Issues Contibuting To A Breach Of Security In Mac OS
 Internet Applications


It seems like we're at the point where proposals for how to deal with
reports of security problems is needed.

In an attempt to assist with the process of identifying circumstances which
either directly indicate a security hole, or, may lead to a breach of
security by unknowing, inexperienced or non-skeptical Website
administrators, please review the following "Proposal For Issues
Contibuting To A Breach Of Security In Mac OS Internet Applications".

Comments are appreciated.

Thank you.

Bill


--------------------------------------------------------------------------------

Proposal For Issues Contibuting To A Breach Of Security In Mac OS Internet
Applications

If any of the following are true in any given application, the "Mac
Security Advisory Board" (or appropriate representative body) shall
immediately instigate their first course of action. [Please see note below.]

1. The default set up and configuration of the tool can lead to a potential
security hole.

2. There is insufficient documentation warning users as to how security may
be compromised if their configuration is setup a certain way, even in
"non-default mode".

3. Tool purports to work with various Web servers but only operates
securely with one Web server or a limited number of Web servers.

4. Informed source provides sufficient evidence to suggest a security hole
is present in the application stand-alone, or when combined with one or
more other applications.

5. Tool relies on security methods either in little use, non-documented or
not present in other solutions and fails to adequately make developers or
users aware of the proprietary or unique nature of security method.
--------------------------------------------------------------------------------

(Note on "first course of action": A discussion or proposal for the
appropriate course of action is best served in a separate document.
Determining factors may include [but are not excluded to]: the seriousness
of security issue, how long the technique for breaching security has been
known, the extent by which the technique is known and by whom, the ease in
which the technique may be discovered by other parties, the size and nature
of the "affected market", the potential harm that may be caused, the
willingness and ability for the vendor(s) involved to act swiftly [to both
rectify the problem AND to fully notify customers].)

--------------------------------------------------------------------
Bill Doerrfeld                                  bill@blueworld.com
Blue World Communications, Inc.      http://www.blueworld.com/
--------------------------------------------------------------------


&
>Date: Mon, 1 Sep 1997 17:28:00 -0700
>To: mac-security@zocalo.net
>From: Bill Doerrfeld <bill@blueworld.com>
>Subject: Draft of Issues for "Proposed First Course of Action"


I've fleshed out the contents of a previous footnote to hopefully better
faciliate discussion on the creation of a list of important issues to
consider while drafting a "Proposed First Course of Action" policy.

Please elaborate and/or comment.

Regards,

Bill

------------------------------------
Proposed First Course Of Action Policy

[Draft of list of issues to consider]

The following issues generally affect the nature of the first course of
action to be made by the appropriate industry representative body when
confronted with a confirmed Mac OS Interent security related issue.

1. The seriousness of security issue

2. How long the technique for breaching security has been known

3. The extent by which the technique is known and by whom

4. The ease in which the technique may be discovered by other parties

5. The size and nature of the "affected market"

6. The potential harm that may be caused

7. The willingness and ability for the vendor(s) involved to act swiftly
(to both
rectify the problem AND to fully notify customers)

8. The ability for affected customers and webmasters to remove the affected
solution and/or find a sufficient replacement with minimum impact on their
business

9. The negative impact of making a recommendation to remove the offending
application versus the risk some webmasters may assume in keeping the
solution in place until such time that the security breach technique is
more widely known (assuming it's an obscure technique) or before such time
that a fix is available

10. The impact wide-public distribution of a purported security hole may
have on webmasters' businesses

11. The negative impact on customers, webmasters, platform, class of
products, specific product or vendor, by NOT swiftly announcing a security
problem.

--------------------------------------------------------------------
Bill Doerrfeld                                  bill@blueworld.com
Blue World Communications, Inc.      http://www.blueworld.com/
--------------------------------------------------------------------