Computer Weekly "CW 360º", © 2001 ComputerWeekly.com Ltd

Code Red: Time for defensive coding

By Cliff Saran

Code Red may have been a comparative non-event, but the publicity surrounding the worm that threatened to bring down the Net should act as a call for action within the software developer community.

Wednesday, August 01 2001 - Estimates from the US research group Computer Economics suggest the bill for using contracted IT staff to patch the Microsoft server at risk, IIS, currently stands at $1.2bn (£0.84bn).

Some might wonder whether it is fair to expect users to foot the bill for a flaw in Microsoft's software. Among the experts who spoke to CW360, the answer was that Microsoft was not culpable; yet it continues to sell flawed software to users.

Simon Moores, the chairman of the Microsoft Forums, told CW360 that the Internet relies too heavily on Microsoft software. "Problems [such as Code Red] will continue to reveal flaws in Microsoft software," he said.

Most commercial software is flawed, however, and Tony Lock, a senior analyst at Bloor Research, said he could not envisage a time when software would be bug-free.

DK Matai, the managing director of the security firm mi2g software, said, "The Code Red worm vulnerability amplifies the argument in favour of open software within large businesses." Under such a scenario, Matai argues that users would be able to run teams of software engineers to develop patches in real time as more and more vulnerabilities came to light.

But it is not just commercial software products that are being targeted. Kenneth De Speigeleire, the manager of security assessment services at the security firm ISS, warned that hackers were moving higher up the food chain. Hackers initially targeted operating systems, but security holes in operating systems are well publicised and patches are readily available, forcing serious hackers to look eslsewhere when mounting an attack.

The most serious threat envisaged by De Speigeleire is one of hackers targeting bespoke e-commerce applications such as online banking.

Worryingly, the same type of flaw, buffer overflows that were exploited by the Code Red worm, will occur in any type of software, according to De Speigeleire. "If you look hard enough you will find a buffer overflow error in every application," he said.

In De Speigeleire's experience, a skilled hacker would be able to write a buffer overflow hack for a bespoke e-commerce application in less than three days. The only indication that someone was trying to hack the software would be intrusion detection systems catching a hacker continually accessing the application.

The only way to avoid Code Red-type scares is to produce flawless software - a feat the industry believes is impossible. However, software vendors could write applications more defensively, assuming someone will always try to break in, and put in place measures to prevent damage or exploitation.

Modern computer systems have enough spare processing capacity to handle this type of software development without too much of a performance hit. But the sheer pace of software development will lead many businesses to cut corners and continue to deploy applications with hidden buffer overflow time bombs. And when the software fails, everyone will have to pay the price.

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy