Full Disclosure mailing list archives
RE: Web sites compromised by IIS attack
From: Gilbert Pilz <gilbert.pilz () e2open com>
Date: Thu, 1 Jul 2004 18:52:12 -0700
It's all well and fine to say "we need this" and "we need that" but none of it is going to happen without financial and/or legal incentives to make it happen. The reason that software ships with so many bugs (including, obviously, security flaws) is that current financial and legal conditions create an environment in which it is advantageous for the vendors to do so. Like anyone or anything else, software vendors have adapted to their environment. If there was any way that doing any of the things you suggested resulted in a signficantly better bottom line for the software vendors some of them would be doing it by now and the rest would be copying them soon thereafter. Read a EULA or two! It's right there in front of your face: "This product is not actually guaranteed to do *anything*". I personally think the problem stems from the entire "software as a product" model. When marketing, buying and selling software as a product the focus always tends to be on the things that are easy to talk about and verify (i.e. features) and rarely ever on things that are hard to talk about and verify (i.e. quality or security). With a "software as a service model" *combined* *with* measurable and verifiable service level agreements (where breaching the agreement results in refunds or other financial penalties) I think you would find that the service providers would be much more focused on quality and security because they have a direct financial interest in making sure the service remains up and operating correctly. - gilbert -----Original Message----- From: Paul Schmehl [mailto:pauls () utdallas edu] Sent: Wednesday, June 30, 2004 7:08 PM To: FULL-DISCLOSURE () lists netsys com Subject: Re: [Full-disclosure] Web sites compromised by IIS attack --On Wednesday, June 30, 2004 6:27 PM -0500 Frank Knobbe <frank () knobbe us> wrote:
Instead of requiring the consumer to install patches, Microsoft should be required to fix their own, broken products. That means that they should send their army of engineers (a lot of which are now carrying the CISSP certification) to the consumers and have their engineers correct the flaws in their products. They sold flawed products, they should fix it.
I'm right there with you, Frank, on one condition. You hold *every* software vendor to the same standard. IOW, "Apache should be required to fix their own, broken products"..."RedHat Linux should be required"......"Oracle should be required"....."sendmail"....."wuftpd"....."php"..."mysql"...etc., etc., etc., ad infinitum, ad nauseum. Be careful what you wish for. You may actually get it. I just upgraded my workstation from RedHat 9.0 to Fedora Core 1. I then ran up2date and found that there were 142 software packages that needed to be updated. Just before I did that, I run portupgrade on one of my FreeBSD boxes. It had 17 programs that had to be updated. If we're going to require that software vendors produce flawless products, we're not going to have many software products. Even Postfix, which *to my knowledge* has never had a security issue, has had numerous bug fixes. (And I think so highly of Postfix that the first thing I do when I install a new OS is replace sendmail with Postfix.) I attended a presentation yesterday for a security product in the application firewall field. During the presentation, the CISSP stated that "in every 1000 lines of code there will be 15 errors". I don't know if I'd agree with that - I suspect most coders are a bit better than that - but I had to chuckle, because, of course, I immediately thought, "So you admit that your code is riddled with holes!" We need better methodologies for finding bugs in software. We need better training of programmers. We need established standards for coding that would define things like bounds checking. We need a *lot* of improvements in software development, and those improvements need to be *industry-wide*, not just Microsoft. Every time I read about a security vendor with a remote hole in their products, I think, "How in the world can they identify attacks, if they can't even see them in their own code?" Clearly the problem is a *lot* bigger than Microsoft alone. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Web sites compromised by IIS attack, (continued)
- Re: Web sites compromised by IIS attack Maarten (Jul 03)
- Re: Web sites compromised by IIS attack Barry Fitzgerald (Jul 06)
- Re: Web sites compromised by IIS attack Ron DuFresne (Jul 02)
- Re: Web sites compromised by IIS attack Maarten (Jul 03)
- Re: Web sites compromised by IIS attack Valdis . Kletnieks (Jul 02)
- Re: Web sites compromised by IIS attack Nick FitzGerald (Jul 02)
- Re: Web sites compromised by IIS attack Denis Dimick (Jul 01)
- Re: Web sites compromised by IIS attack Frank Knobbe (Jul 01)
- RE: Web sites compromised by IIS attack joe (Jul 01)
- RE: Web sites compromised by IIS attack joe (Jul 03)
- Re: Web sites compromised by IIS attack Ron DuFresne (Jul 03)
- Re: Web sites compromised by IIS attack Jason Coombs (Jul 04)
- Re: Web sites compromised by IIS attack Valdis . Kletnieks (Jul 08)