eEye CTO Maiffret Weighs In On Cloud Security, Disclosure Debate

Page 1 of 2

Nearly a decade has passed since security researcher Marc Maiffret and his colleagues at eEye Digital Security unearthed the Microsoft Code Red vulnerability, and it's been even longer since Maiffret's brush with the FBI at age 17.

Maiffret re-joined eEye Digital Security in July as CTO after a three-year hiatus during which he explored other parts of the security industry. CRN caught up with him recently to discuss eEye's new channel initiative and how threat management has evolved as a business. Following is an edited transcript of the interview.

There's been a lot of talk lately about using the cloud to enhance security. What are some benefits of this approach, and are there any weaknesses?

Cloud apps in general have two main security implications. One, it's a bit easier to respond to issues when you have a main cloud app to update. It's not like Microsoft trying to update millions of systems around the world, and it's much easier to control the quality of the application.

That being said, what terrifies me about cloud apps is that for last ten years, the big driver in security, and the improvements it has brought, has been from research community. Independent researchers are driving these companies to build more secure products.

But when you look at the cloud space, vulnerability research doesn't apply. You can't sit there and attack Salesforce.com. So that takes out the research community and leaves it up to the companies themselves, and we have seen security be treated as an afterthought by a lot of tech companies.

Microsoft recently started talking about something called "coordinated vulnerability disclosure," a renewed attempt to reshape the responsible disclosure argument. eEye started out embracing full disclosure -- has your stance changed since then?

I think between 60 and 90 days in typically a good enough amount of time for most tech companies to resolve and put out a patch for a vulnerability. What the research community wants is for companies like Microsoft to agree to some timeline, at which point, if they haven't resolved that vulnerability, researchers should be able to publish that information without being labeled a bad guy.

The driver for researchers to want that framework is the fact that too many vulnerabilities, when reported to the vendor, can sit for months or even years, which isn't acceptable.

Google researcher Tavis Ormandy incurred Microsoft's wrath back in June by disclosing details on a zero day vulnerability in the Windows Help and Support Center. Opinions seem pretty divided in the security industry as to whether he did the right thing. Where do you stand on this?

I think he's just a vulnerability researcher who's not motivated by making money, but by helping the IT community and making people secure. That's his intention, no matter who his employer is.

The incident did show there's a massive gap between how researchers are framing the disclosure debate and how Microsoft handles it.

Security researchers are coming to the table and saying here's what we find acceptable as a starting point. Google's security guys gave tangible numbers and said after 60 days, it's gloves off. They said that should also apply to Google themselves.

Next: Room For Improvement For Microsoft In Security?

1 | 2 | Next >>

Tweet

   

More Security