So we have this mess we affectionately call Code Red -- a worm that exploited a vulnerability in IIS and took control of hundreds of thousands of machines. Following the blame-and-fix game, our first question is: Who's at fault? The administrators who didn't patch their machines? Maybe the organizations that don't have refined security procedures to help reduce the effects of these attacks. How about the Microsoft folks, who are guilty of relentlessly releasing flawed code? Or the attackers who coded the vicious beast?
Second question: How do we fix the problem? Is it simply a matter of timely patching? Should we start forcing vendors to review their code and eliminate common security flaws? Maybe we could opt for some of the more brain-dead solutions: We could stop discussing these vulnerabilities in open forums and drive them back underground (this way only the "l33t" hackers can access the info while the rest of us bury our heads in the sand). What about outlawing reverse engineering and the creation of hostile code? Heck, let's outlaw shovels while we're at it -- they can be used to break servers too.
The one thing I don't hear anyone talking about is the consumer's role in this nightmare. Contrary to popular belief, consumers are not innocent bystanders. Why doesn't anyone blame the decision-makers for purchasing solutions with horrendously bad security track records?
While it would be nice to point the finger at a single party, the truth is, our entire industry is guilty. Vendors are releasing insecure and immature products, and consumers are gobbling them up. Some security researchers still won't cooperate with vendors, and lawmakers are listening to the software companies looking for the quick (and cheap) fix. This market demands features over security and has bred vendors that continuously skip precious QA (quality assurance) cycles because the consumer base consistently forgives them. This market says, "Oh, wow! Another security flaw? That stinks." And then it does absolutely nothing about the flaw.
The industry seems to ignore the fact that consumers have a great deal of control here. If consumers start demanding more secure products and start making purchasing decisions that include security considerations, things will change. Security costs money, but bad security costs more. How much time does your organization spend on patching? What about virus cleanup and incident response? Think about it.
Here's my question (actually, it's a few questions): When will enough be enough? When will the market stop accepting apologies? When will the market demand vendors increase their QA efforts? When will third-party validation efforts become the norm rather than the exception? When will consumers and decision-makers start caring enough about security to factor it into decision-making processes? I wish I had all the answers, but I do know that as long as the market favors the vendor with the loudest bells, vendors will continue getting away with making shoddy products and nothing will change.
The Same Old Story?
A vendor puts out flawed code. The flaw is discovered. Someone figures out how to exploit the flaw and creates a tool with which to do so. Someone automates the process. Finally, someone gets malicious. What's new here? Not much. The only thing that's changed is the size of the audience -- and my, how it's grown! Code Red isn't revolutionary -- it's evolutionary. It's the natural progression of the infosec nightmare. And mark my words: Far worse calamities await us if we don't get our act together. These worms are just getting started. The time is right for our industry to get educated and smart -- and that means we all have to grow up.
Send your comments on this column to Greg Shipley at gshipley@neohapsis.com.
REPORTS
ANALYTICS
Follow 
