secwatcher writes:
When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.
In fact, almost 60 percent of 230 security pundits thought it was a “good idea” to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn’t a good idea.
Dr. Richard Gold, head of security engineering at Digital Shadows, told Threatpost that PoC code makes it easier for security teams to do penetration testing:
“Rather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable,” Gold told Threatpost. “This ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation.” In fact, up to 85 percent of respondents said that the release of PoC code acts as an “effective motivator” to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been “instrumental” in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won’t fix a bug in a timely manner…
On the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched… Matt Thaxton, senior consultant at Crypsis Group, thinks that the “ultimate function of a PoC is to lower the bar for others to begin making use of the exploit… In many cases, PoC’s are put out largely for the notoriety/fame of the publisher and for the developer to ‘flex’ their abilities….”
This issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: “I believe the release of PoC code functions more like an implied threat to anyone that doesn’t patch: ‘You’d better patch . . . or else,'” he said “This kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability.”
And Joseph Carson, chief security scientist at Thycotic, tells them “Let’s be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them.”
of this story at Slashdot.
Source:: Slashdot