Computer Weekly "CW 360º", © 2001 ComputerWeekly.com Ltd

Why are we in this mess?

By Cliff Saran

As the world braces itself for the impact of the Code Red worm, the key question for IT professionals is why systems are vulnerable to this kind of attack.

Tuesday, July 31 2001 - Following Tuesday's US government and Microsoft press conference to highlight the dangers, Ronald Dick, director of the FBI's National Infrastructure Protection Centre, said getting information out to users had proved more difficult than he ever imagined. US security officials were at a loss to know what more they could do to get companies to heed the warnings, he added. Defence against the Code Red worm is simple. Users simply have to install a patch from Microsoft.

However, Simon Moores, chairman of the Microsoft Forums, told CW360 that Microsoft's policy of selling millions of units of insecure software and then asking users to install the security patch was fundamentally flawed. The key to the problem for Moores is poor software design that allows anyone from the mischievous to the malicious and criminal to threaten a crucial part of the global infrastructure.

"We are relying on Microsoft too much to build the Internet's infrastructure. There must be a better way," he said. According to Moores, several enterprise users were now questioning their commitment to Microsoft's latest .Net strategy, which largely focuses on delivering an infrastructure to provide Web-based services over the Internet. Large enterprises have doubts over security [in Microsoft software] but they do not know where go to keep their data safe," Moores said.

DK Matai, managing director of security firm mi2g software, said many security risks were the result of proprietary software. "In the case of Microsoft and other proprietary software, vulnerabilities can only be repaired once the manufacturer is involved, because the source code is not openly available," he said.

The backward compatibility of proprietary product means that they are built in layers over time and this, according to Matai, "is the Achilles' heel of Proprietary Software. The Code Red Worm vulnerability amplifies the argument in favour of open software solutions within large businesses that can afford to have their own software engineers to develop patches in real time as more and more vulnerabilities come to light," he said.

Matai believes the future lies in software system solutions that will be able "to dynamically adapt to the rising threat in real time". Eventually, he said, "Large businesses will apply sufficient pressure on proprietary software manufacturers to release their source code where the vulnerabilities become a cumulative and regular disruptive feature."

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy