|
 |
|
|
©workingarts.com |
What have we learned so far? Don’t worry, this is not a quiz. I specifically ask this question to software vendors who have been frantically busy uploading bug and security fixes on their websites in response to security vulnerabilities identified by White Hat (as opposed to Black Hat) hackers. Granted, some of the vulnerabilities are made public within hours of their discovery, giving little to no time at all for the vendors to respond or investigate the issue. Oh well, this is the trend these days: security lists are blooming all over the internet and vulnerabilities are being discovered on a daily basis. This means good and bad news. Let’s tackle the good news first: the Internet has brought on a new army of free security minded quality assurance developers who use common and not-so-common attacks on popular (and obscure) software packages. The clear advantage is that it forces software vendors to clean up their act and perform more aggressive security testing on their products (more on that later…). Another advantage is that it also forces those same vendors to dedicate post-release engineering teams to provide security patches in a timely manner; any other behavior would create public relations horror stories and negatively affect product sales (case in point: Intel’s Pentium chip flaw PR fiasco back in 1999). This is good news! So, what’s the bad news? Ask any large network administrator and he or she will tell you about how everyday is increasingly more like a race against the clock. They are constantly downloading and installing security patches on servers and user computers. The alerts the press talks about usually deal with high visibility products such as the Operating System (Windows, Linux, MacOS, etc.) or software suites such as Microsoft Office, Novell’s Groupwise or IBM’s Lotus Notes. Information Systems managers also deal with numerous obscure products that make their network run: they install software distribution software, remote access servers, internet firewalls, virtual private networks, authentication servers, directory servers, domain controllers, ftp, telnet, email servers, etc. All those are also regularly attacked by white hats and patches are released daily. A fresh example of this is the August 12, 2002 announcement of a recently identified vulnerability in the Cisco virtual private network client software, for which, at this point, there are no workarounds available (advisory posted at http://www.cisco.com/warp/public/707/vpnclient-multiple-vuln-pub.shtml). Last year, the Computer Emergency Response Team (CERT) of Carnegie Mellon University, reported 2,437 security vulnerabilities in 2001. As of the end of June 2002, the number of reported vulnerabilities had already reached 2,148, well on its way to double last year’s already impressive number. The lesson is clear: software vendors must address security when they design the product itself. Until recently (very recently), security was an afterthought. Software engineers designed and wrote their products, and had a cursory security review (if any) before when they were about to release the product. Hopefully -- and there are signs to this effect -- this is changing. In a July 18, 2002 email entitled “Trustworthy Computing” sent out to large customers and, of course, to the press, Microsoft’s Chairman Bill Gates explained that he had asked 8,500 engineers to perform an intensive security analysis of millions of lines of Windows source code. The code review took two months and Microsoft spent well over $100 Million in the process. The reason for this shift, outside of the obvious PR in response to numerous security flaws in Microsoft products recently mocked in the press, results from increasing economic pressure: it costs money to fix things and security flaws slow down the sales cycle. Finally, we have reached the moment when it is also in the interest of software vendors to release relatively more secure software. Or have we? Next time, we’ll talk about the next wave of security products. Until then, make sure you back up your files, scan your computer for viruses and update your virus signatures once a week. Is this article
interesting to you? Want to know more about information security?
Send your comments, questions and suggestions to the author via email
at frederic@workingarts.com Sales tools|Marketing tools|Public relations|Partner development | Home
Contact
information | |
