The key is not "quick response'--the key is writing secure code and having appropriate testing methodologies that will catch vulnerabilities before the product goes out the door. Yes, quick response is important when unforeseeable issues arise, but this security problem should not qualify as unforeseeable. Consumers should demand more of software security products, and vendors should be diligent in making sure they are actually shipping a secure product. As it stands, the computer security industry is ass backwards.

By the way, NAI's claim that Gauntlet is the "most secure firewall" is absurd. Both Secure Computing and CyberGuard produce much more secure firewalls. Any firewall that allows a single vulnerability in a proxy or other network daemon to entirely compromise the firewall's integrity can not be deemed very secure (Gauntlet is such a firewall, unless installed on a trusted operating system and appropriately configured). Both the Secure Computing and CyberGuard firewalls are built on trusted operating systems that provide compartmentalization. Compartmentalization is used to limit the exposure that any vulnerable proxy or daemon could create. The entire firewall's integrity (and the protected network) is not compromised if a firewall service has a buffer overflow--only the integrity of the particular service and the corresponding affect on the protected network suffers.

Something smells rotten in this state.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/40/1988#1988