The last few months have seen the revelation of a rash of critical vulnerabilities in a wide variety of software, from Oracle Corp.'s database packages to Windows to Cisco Systems Inc.'s IOS code. And if 2003 is to be remembered for . . .
The last few months have seen the revelation of a rash of critical vulnerabilities in a wide variety of software, from Oracle Corp.'s database packages to Windows to Cisco Systems Inc.'s IOS code. And if 2003 is to be remembered for being one of the worst years on record for such problems, this week's Black Hat Briefings in Las Vegas may well go down as the event where security researchers began to turn the tide in the fight against faulty code.

Vulnerability research right now is something of a black art. Its practitioners are often fiercely independent who typically log long hours poring through lines of code and prying into the darkest corners of modern computer systems, searching for the smallest crack, that sliver of daylight that could allow a cracker to slither into the machine and make it his own. And the job is often a thankless one. The security community is sharply divided over the value of independent vulnerability research; some observers feel it leads to better coding practices and more secure networks, while others believe it does nothing but hand crackers a detailed instruction set for breaking into systems.

Two panel discussions on Wednesday will take on the topic of vulnerability research and try to inject some structure and analysis into the process. In the morning, the Organization for Internet Safety will formally unveil the final version of its long-awaited and much-discussed plan for handling security vulnerability disclosure and reporting. OIS, which is made up of security vendors and software makers including Microsoft Corp., @stake Inc. and BindView Corp. among others, released a draft version of the plan in early June and accepted public comments until July 4. The final version was posted to the group's Web site Monday.

The link for this article located at eWeek is no longer available.