Will the real villian please stand up

Will the real villain in the cyber security landscape please stand up, because the waters are getting a little murky.

Forgive me for behaving like a naive chicky babe, but I'm trying to understand why it is so acceptable for security software vendors to sell lemons.

Only last week a federal advisory panel setting cyber security standards for the US Government asked why so many Web intrusions occur; only to be told that all is cool, it's simply because vendors sell systems with security holes. No big deal.

SANS Institute research director Alan Paller told the panel that systems get sold "broken", with both known and unknown vulnerabilities.

He cited a well-known vulnerability in Microsoft Windows NT 4.0 and Windows 2000, which allowed the Code Red II virus to make 150,000 systems vulnerable to attack. Sure, software security standards are non existent and industry resistance to better products is stiff, but if the cyberterrorist debate won't drive change, what will?

It certainly won't come from end users; their complaints have been ignored for years and corporate security managers claim the problem with benchmarks is that they are constantly shifting as new threats emerge.

But hey, the family motor vehicle hasn't remained the same for the past 20 years and they have standards, you know just the basics -- like brakes, headlights and steering wheels. Some necessary features can remain the same.

There is no 100 per cent proof rum (oops, software), but there must be a benchmark. And until one is in place users can execute their own form of punishment by showing hip-pocket restraint with poor products. If you catch a villain, let me know e-mail sandra_rossi@idg.com.au

Join the newsletter!

Error: Please check your email address.

More about MicrosoftSANS Institute

Show Comments

Market Place