Gauging the Weak Points

Despite increased industry focus on security, problems on the rise and responsibility proving elusive.

Everywhere you turn these days, someone is talking about security.

Microsoft Corp. has announced a massive effort to improve the security of its products, a strategy that included a two-month-long review of Windows code and weeks of training for developers.

A group of government agencies and industry organizations recently released a set of guidelines for securing Windows 2000 machines.

Even President Bush is in on the act, unveiling a proposal that would unite most of the governments information security watchdogs under the umbrella of the new Department of Homeland Security, creating a central base for the governments efforts.

So, with all the attention that vendors and government authorities are lavishing on security, it would stand to reason that security would be improving.

Not so. In fact, not only is security not improving, its deteriorating at a rapid rate. In the first half of this year, there were 2,148 vulnerabilities reported to the CERT Coordination Center, a clearinghouse for security information and data at Carnegie Mellon University, in Pittsburgh. Compare that with the 2,437 flaws reported during all of last year, and you get some idea of how bad things are.

The higher number of vulnerabilities is translating into an increase in the number of security incidents as well. CERT recorded 43,136 incidents in the first half of this year, compared with 52,658 for all of last year. If incidents continue to accrue at that rate for the rest of the year, there will be nearly 40 percent more attacks this year than last.

While almost everyone in the security industry, and the software sector at large, concedes that the number of vulnerabilities is a problem, no one seems to be willing to shoulder much of the responsibility. Rather, shifting the blame for security problems has become something of a parlor game.

Even Bill Gates has taken a turn. In an e-mail sent earlier this month to Microsoft customers, the Redmond, Wash., companys chairman and chief software architect outlined the progress Microsoft has made in its Trustworthy Computing initiative, listing several key accomplishments.

But Gates also took the opportunity to move the spotlight off his company and suggest that the number of security problems found in Microsoft products are the result of a confluence of events and not shoddy programming.

"This is an important part of the evolution of the Internet because without a Trustworthy Computing ecosystem, the full promise of technology to help people and businesses realize their potential will not be fulfilled," Gates wrote. "Ironically, it is the growth of the Internet and the advent of massive computing systems built from loose affiliations of services, machines, communications networks and application software that have helped create the potential for increased vulnerabilities."