Unfortunately, software vendors and developers have an enormous incentive to treat security as a public relations issue rather than a technical one.
Absent significant legal developments, security problems only prove a liability to a vendor if they lead to a reputation for poor security. In the short term, its often more cost-effective for a vendor to shore its reputation by “spinning” a problem than by fixing it. Thats unfortunate for customers and partners alike.
Case in point: Microsoft has faced a wave of major security problems recently, culminating in a Gartner recommendation that users seek alternatives to Internet Information Server (IIS). In response, Microsoft recently launched a new campaign to shift responsibility for the security problems elsewhere, beginning with an essay by Microsoft Security Response Center Manager Scott Culp.
The core of this essay was a call for an end to what Culp dubbed “information anarchy”—i.e., the practice of publicly discussing vulnerabilities in great detail, often to the extent of publishing “exploit” code. According to Culp, extensive details serve only to arm the bad guys, and publicizing them amounts to an ethical failure on the part of the security community. Moreover, he argues, continuing with this kind of irresponsibility will discourage vendors from openly addressing security issues.
I know Scott Culp. Hes a smart man and a talented security professional—which is why he should be working on solving software problems rather than writing PR materials.
Culp himself admits that this kind of information has a way of getting out one way or another. It only takes one person to put “exploit” code online, and the rest of the world can use it. Moreover, administrators rely on up-to-date information to protect their own networks. Restricting public discussion of security issues will do more to disarm the good guys than the bad guys.
Culps essay was quickly followed by a article at devx.com by Microsoft .NET Developer Evangelist Michael Lane Thomas. Unfortunately, this essay leapt beyond the disingenuous into the ridiculous and offensive (and has been removed from the site.)
According to Thomas, Microsoft is the victim of worm-writing “industrial terrorists” and oblivious, procrastinating systems administrators who refuse to apply software patches. “Following Gartners recommendation to seek alternatives to IIS only accomplishes what the industrial terrorists want,” Thomas concluded.
The United States information infrastructure is certainly a valuable target for terrorists. But theres no connection between the events of Sept. 11 and the spate of worms that recently struck MS servers. To suggest otherwise in an attempt to garner public support is nothing but opportunism of the worst kind.
There is more than enough blame to go around for the security problems that riddle the Internet. The attackers are obviously first on that list, but corporate managers, system administrators, and security professionals have all dropped the ball in their own way.
In no way, however, does this diminish Microsofts responsibility for securing its own products and addressing its own mistakes. Microsoft needs to clean up its act before it starts pointing fingers elsewhere.