CMP Technology's Computer Security Institute Creates Cross-Disciplinary Group of Web Security Researchers, Computer Crime Law Experts and Agents From the U.S. Department of Justice to Discuss Web 2.0 Research RoadblocksGroup's Initial Report to Be Released at Computer Security Institute's NetSec Conference on June 11PRNewswire-USNewswire SAN FRANCISCO, June 4 /PRNewswire-USNewswire/ -- The Computer Security Institute (CSI) today announced it has formed a cross-disciplinary working group of Web security researchers, computer crime law experts and agents from the U.S. Department of Justice on the legal barriers to Web 2.0 vulnerability research and disclosure. The group will release its first report Monday, June 11 at CSI's NetSec conference in Scottsdale, Ariz. "Security researchers are able to identify and publicly disclose software vulnerabilities or further write proof-of-concept exploit code without fear of criminal prosecution," said Jeremiah Grossman, CTO of WhiteHat Security and a contributor to the group. "But Web security researchers' aren't so lucky: under some laws, a researcher could find himself prosecuted for simply looking for Web site vulnerability, much less disclosing it publicly." To tackle this question, this working group is not to espouse any particular position, but rather to identify, debate and explain all the legal, ethical, social and technological considerations feeding this issue. "This report serves as a meeting of the minds, bringing together ideas and concerns from the developers, security researcher and law enforcement communities making it a unique touch point for everyone caught in the frenzy of Web 2.0," added Grossman. Within the report will be:
-- A matrix of Web security research methods (on a scale of least-invasive
to most-invasive), assessments of how the law may interpret these
actions and gauges of the likelihood a Web researcher will be
criminally prosecuted for such actions;
-- Discussion of how the law may be changed, including how liability is
assigned, how "damage" is quantified and how disclosure and criminal
intent factor into sentencing; and
-- Suggested endeavors the industry may create to improve Web security
within the current letter of the law, such as: better secure Web
development standards, better Web site security certifications,
anonymous vulnerability disclosure tip lines and a service that invites
registered researchers to hack "dummy" Web pages, which are modeled off
typical Web sites but contain fake data.
A question and answer period with some members of the working group will follow the report presentation. Members of the working group include: Brian Chess, founder and CTO of Fortify Software; Jennifer Granick, executive director of the Center for Internet and Society, Stanford Law School; Jeremiah Grossman, CTO, WhiteHat Security; Billy Hoffman, lead researcher, SPI Labs; John Lynch, deputy chief, Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice; Scott Parcel, vice president of engineering, Cenzic; Jon Rusch, special counsel for fraud prevention, Criminal Division, U.S. Department of Justice; Lee Tien, senior staff attorney, Electronic Frontier Foundation; and Jacob West, manager of the security research group Fortify Software. NetSec '07 will be held June 11-13 at The Phoenician in Scottsdale, Ariz. The conference covers a wide variety of topics, from live forensic analysis to data breach notification law. NetSec is geared both to those entering the field and to experienced practitioners, and addresses managerial and compliance, as well as technical, issues. For details and to register go to: http://www.csinetsec.com/. CSI serves the needs of information security professionals through conferences, regional events, on-site training, Webcasts, end-user awareness newsletters and training tools, member publications and the widely quoted CSI Computer Crime and Security Survey. Visit http://www.gocsi.com/ for further information. About CMP Technology (http://www.cmp.com/) CMP Technology is a marketing solutions company serving the technology industry. Through its market-leading portfolio of trusted information brands, CMP has earned the confidence of more technology professionals than any other media company. As a result, CMP is the premier provider of access, insight and actionable programs designed to connect sellers and buyers in ways that yield superior return on investment. CMP Technology is a subsidiary of United Business Media (http://www.unitedbusinessmedia.com/), a global provider of news distribution and specialist information services with a market capitalization of more than $3 billion. Contact: Sara Peters Editor CMP Technology's Computer Security Institute (office) 212-600-3066 (cell) 609-213-9361 speters@cmp.com http://www.gocsi.com/ SOURCE: CMP Technology's Computer Security Institute CONTACT: Sara Peters of CMP Technology's Computer Security Institute, Web site: http://gocsi.com/ |