In the Footsteps of CERT

By Ryan Naraine  |  Posted 2008-04-03 Print this article Print

The idea is to mimic the CERT security incident response teams around the world by offering help to both large infrastructures and smaller projects that can't afford a full-blown security team. The goal, Barisani said, is to reduce the impact of compromises on small projects with little or no infrastructure security and, more importantly, avoid the ripple effect of badly communicated or poorly handled compromises.

He said oCERT will also provide security vulnerability mediation for the security community, maintain reliable security contacts between registered projects and vulnerability researchers who need to get in touch with a specific project regarding infrastructure security issues.

oCERT has already put together a high-profile team that includes Tavis Ormandy and Will Drewry from the Google Security Team; Barisani and Rob Holland from Inverse Path and Marcel Holtmann from Intel. Solar Designer from Openwall and Dragos Ruiu from the SecWest security conferences form part of the organization's advisory board.

With this list of renowned security experts, Barisani believes oCERT can emerge as a credible organization to help in assessing whether a vulnerability submission is actually a real security concern.

Barisani, an active member of the Gentoo Foundation's security and infrastructure teams, has first-hand experience dealing with security-related emergencies.

Back in 2003, he found himself smack dab in the middle of a major compromise of one of the servers that make up the rotation. During that incident, Barisani was closely involved with containing the damage, performing live analysis of the hijacked server to look for lost data and evaluate the visibility of other systems in the network to reduce the risk of further compromises.

The issue was resolved in 36 hours and is often cited as one of the best collaboration and response examples in the open-source community but, five years later, there are still major gaps that need filling.

"Let's just say that there's a good history of security issues in the open-source world that could have been handled better and there's also a good history of compromises which are worrying," he said, declining to provide details on vendors with a poor history of responding to security incidents.

He insists oCERT will be tough on vendors that take too long to fix software vulnerabilities. "We're committed to keeping things moving as fast as possible and we have a disclosure policy that enforces an upper limit on disclosure time," Barisani said.

"If a vendor is lazy and takes six months to fix something, we won't tolerate it," he declared.

The oCERT policy is to give a vendor an embargo time of 60 days to create and release a security patch. "We'll always have a fixed limit specifically to prevent the problem of lazy handling [of vulnerability warnings]. We will be stricter if we think it's necessary," Barisani said.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel