To some IT managers, vulnerability researchers such as H.D. Moore are knights in shining armor for their efforts to uncover security flaws in software. Others argue that the only people being helped are malicious hackers. In an e-mail interview with Computerworld, Moore discussed his involvement in vulnerability disclosure efforts such as the Metasploit Project. Excerpts follow:
How exactly is the work being done through initiatives like the Metasploit Project helping to improve overall software security?
The availability of tools such as the Metasploit Framework allows anyone to learn more about security and the exploit process in general. Network administrators use the framework to justify patch installations, software developers use it to verify patches in their software, and security analysts use it to perform penetration tests. As more people become aware of software security flaws and their impact on their business, the software vendors will be held to higher standards of product security.
What would you say to critics of such efforts who argue that ultimately they help only the bad guys?
Every major security vendor uses the tools developed by the Metasploit Project to test their products. Almost every security consultancy uses Metasploit tools to perform penetration tests and risk assessments. The Metasploit Project puts the "good guys" on equal footing with the folks who already have the skill to launch these types of attacks.
But some critics say many vulnerabilities are obscure and hard-to-exploit flaws that would remain hidden if security researchers didn't go looking for them.
These folks sound naive. History has shown that many of the worst security flaws were made public only after a bad guy was caught in the act. When I discover a new vulnerability, I have to assume that someone else found it first.
What's your opinion on responsible disclosure of vulnerabilities?
There is a myth that "responsible disclosure" means always waiting for a vendor to patch a flaw. I have been reporting vulnerabilities to vendors for nearly 10 years and still believe that forcing a vendor's hand by releasing [information about a flaw] early is the responsible thing to do under the right conditions.
How much time should vendors be given to fix flaws?
It depends on the vendor, how fast they respond and whether I'm the only one that knows about a given vulnerability.