The Bugs Stop Here

The Bugs Stop Here

Don't Blame Microsoft. Don't blame the hackers. Blame yourself for insecure software. Better yet, Stop Blaming and start Moving towards operational Excellence

This past summer, a worm known a Slammer rattled the Internet violently enough to become what you might call a "CNN-level virus" - that is, it burrowed its way into the national consciousness.

Nearly everything about the SQL Slammer was old. It was an old hack that exploited a year-old vulnerability found in an old target, Microsoft software. There was a patch to block Slammer that was six months old, and that patch suffered from an old patch problem: It was so kludgy to install that the patch needed a patch. Above all, the reaction to Slammer - the call to use the event to build security awareness - was so old it called Bob Hope "kid" . But this much was new: Everyone agreed that Slammer was your fault.


The old game was to blame Microsoft. "Microsoft did not protect its customers," read a letter to The New York Times after the Melissa virus hit in 1999. A year later, after the I Love You virus infected Microsoft Outlook, a Washington Post editorial stated: "This is a software development problem." The Nimda worm (2001), according to Forrester Research, required 625 combinations of patches applied to Microsoft's Internet Information Server. Nimda, along with its contemporary, the Code Red virus, eventually compelled Microsoft to implement and market Trustworthy Computing, an initiative aimed at helping Microsoft developers learn how to write secure code.

Slammer, though, hasn't followed the old pattern. A developing consensual wisdom suggests that as woeful as Microsoft's products may be, CIOs have been equally sloppy. A February poll of more than 200 IT professionals, by antivirus company Sophos, showed that 64 per cent of respondents blamed their peers' lax security practices for Slammer. Only 24 per cent blamed Microsoft.

The poll also revealed that only 43 per cent of the respondents said they subscribed to Microsoft's vulnerability mailing list, which provides early alerts of viruses in the wild. Twelve per cent said they relied on "mainstream news" - newspapers and TV - to learn about new viruses.

Three per cent said they "don't really hear about them at all". And 19 per cent said they patched software when they "got around to it".

"I've got to look around at my comrades and ask: 'Why aren't you patching your systems?'," says Bob Ferderer, vice president of IT internal operations and security at CUNA Mutual Group, the US's largest financial service provider for credit unions, with 5000 employees and $US9.3 billion in assets. "There's a relationship between individuals not taking action and how these things spread out of control."

What frustrates Ferderer and other security experts is the fact that this seemingly intractable problem is actually quite tractable. The tools and strategies to prevent another Slammer are just waiting to be used. In fact, the number of tools and strategies available to you - and available at a reasonable cost - makes it inexcusable for any CIO to fiddle while the software burns.

There is, after all, $US60 billion on the table. A 2002 study by the National Institute of Standards and Technology (NIST) developed that number to describe buggy software's cost to the national economy. Improved software testing alone, NIST suggests, could shave $US22 billion off that. Why can't the software community motivate itself to grab all that cash? The answer lies in software culture.

Vendors, for the most part, value time-to-market over security. As long as they can get away with shipping buggy code, they will.

Developers live by deadlines, which compel them to work fast. At the same time, they're being asked to provide ever more features.

And CIOs, as a group, have been passive, assuming there was little they could do to effect change.

They assumed wrong. In fact, a growing number of advocates believe CIOs should be leading the charge for secure software.

"CIOs must take action," says Linda Northrop, director of the product-line systems program at the Software Engineering Institute (SEI) and co-author of Software Product Lines: Practices and Patterns. "I think CIOs have done a deplorable job matching their software decisions to business goals, especially in its security and quality. What we need from the CIO ranks are leaders."

Northrop could be talking about Al Schmidt, vice president of IT and CIO of $US939 million Arch Chemicals. "What I've come to realise," says Schmidt, "is that security is really about operational excellence. So why wouldn't I jump on that? I mean, operational excellence - that's what I'm supposed to be doing, right?"

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BillBillionCERT AustraliaCNNEvolveForrester ResearchGeneral ElectricGeneral MagicHISMicrosoftSanctumSophosSpeedSustainable Computing ConsortiumTeam ComputingTLC

Show Comments