Earlier this month, many of the world’s biggest cloud-service providers quietly cooperated to update the open-source Xen hypervisor software. What wasn’t publicly revealed until after the update was safely completed, however, was that it actually was a carefully coordinated operation intended to head off a major security breach, as identified in the Xen patch advisory. Here is why this was a model case for exactly the right way to confront a predicament involving an open-source web security flaw.
Vulnerable code had been identified in software that helps hold together the premier cloud services companies. The reality of the matter is that most industries are very slow, uncoordinated, and just don’t care enough when told of security flaws. When researchers do uncover a vulnerability (assuming they understand the scope and targets), they usually attempt to tell the people who need to know before making it public. However when no one actually does anything to fix the problem (after all, it often is just a theory at this point), security researchers publish their findings more widely to jolt IT managers into taking action.
Unfortunately, until you go public to demonstrate how easily a flaw can be exploited, many companies don’t generally take it seriously.
It worked this time because the large cloud providers like Amazon, Rackspace and IBM Softlayer are not in the slow and uncoordinated category. They take security very seriously. A breach of this nature could devastate their business. As soon as they are made aware of a vulnerability in their infrastructure, they move swiftly to address it.
What are the prospects for more firms following their lead? I don’t see this landscape improving unless regulators are expanded to force companies to use more rigor in heading off security flaws.
A lot of security researchers can identify a vulnerability, but they may not fully understand how powerful it is. They may assume—erroneously—that it isn’t that big of a deal and they publicly disclose their findings with minimal pre-disclosures to the people who will be impacted. Once it is public, somebody can connect the dots and realize it can be exploited in more ways than initially recognized. That’s when you face much more serious risks that could have been avoided with proper disclosure. Happily in the case of the Xen update, the companies that were affected had the proper expertise to understand what was at stake. And they acted accordingly.