Fortify Software, the application vulnerability specialist, says that an informal agreement by the software cracking community to temporarily cease open discussion of the Adobe Clickjacking flaw is a positive move for the IT security industry.
“All responsible security research organisations – ourselves included – will always give the vendor time to respond before discussing the issue, so it’s good to see the cracker community holding off.”said Brian Chess, Fortify’s founder and chief scientist.
“Two well-known security researchers – Robert Hansen and Jeremiah Grossman – were also scheduled to give a talk on the problem at the Open Web Application Security Project in New York later this month, but it’s also good to hear that they have shelved their plans pending Adobe releasing its security patches in the interim,” he added.
According to Chess, whilst security research companies – including Fortify Software – will continue their constant work on better protecting software users against all the vagaries of application flaws and allied security issues, it is important that the industry
works together in a coherent fashion when it comes to minimising the overall risk.
There is, he said, no point in prematurely releasing details of a flaw when the vendor concerned is known to be working on a patch.
“The only exception to the rule is where the potentially fallout from the flaw is so great – with hackers already aware of the problem and clearly exploiting it – that it will benefit the industry by publicising the problem and helping everyone to immediately counter the issue,” he said.