General discussion

Locked

Who's responsible for security?

By discussion ·
In this week's Security Solutions column, Michael Mullins says that Microsoft produces software, not security. Do you agree with him? How responsible should Microsoft be for the security of its products? What do you think of the idea that admins' failure to patch, rather than Microsoft's flawed software, is to blame for the recent Slammer attacks?

This conversation is currently closed to new comments.

96 total posts (Page 1 of 10)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

50/50

by Jellimonsta In reply to Who's responsible for sec ...

I think any major software producer should take some responsibility in producing the most secure, stable piece of software they can produce. On the other hand the 'out of the box' secure OS still would not suffice in my opinion. Sure they could makeit secure to the best of their abilities but chances are there is always going to be some area of exploitation for would be hackers. That in mind, leading Admins or uneducated users to believe their system is completely safe out of the box is setting them up for a fall.

Collapse -

We are all irresposible

by dennisjh In reply to 50/50

While the attempt to make a "quality" product is admirable, there is not one man-made thing in the universe that is perfect. Even nature has its own issues with perfection. Two words; Duck-billed platypus. While Microsoft is a software company, it is also a business. In order to be profitable, it needs to be 1st to market and thereby may not build the "perfect" code. When consumers start to demand better products, then we may start to get them. I do not blame Microsoft for Security lapses. The people that write worms, bots and other malicious code, are the ones at fault. If the criminal did not exist, there would be no crime. Idealistic? Maybe, but with an excuse. How do you test multiple million lines of code for every possible flaw? You can't and they don't. So live with it and be aware that they do release patches in a very timely manner and allow all users of the product, whether in warranty or out, to download and install the fixes. It then becomes our resposibility to maintain our software. Is it GM or Ford's resposibility to have your oil changed? No it is yours. You own the car.

Dennis

Collapse -

I agree

by Jellimonsta In reply to We are all irresposible

I totally agree with you. Hardware is always better than software so if people want security buy a hardware firewall. Not to say there should not be some software firewall solution implemented also, but I still believe hardware is the way to go. I think M$ does do its part in created and making available patches and fixes for known security and operational problems. I also totally agree that there is no way they would go through every line of code for flaws. Imagine when M$ brings out the CRM/ERP solution, there is no way they are going to weed through those millions of lines of code for flaws. That is why I usually wait a year before I implement their 'new' technology :)

Collapse -

Not quite right with the car anology

by HAL 9000 Moderator In reply to We are all irresposible

Sure it your responsibily to chance the oil/brake fluid or what ever else on a routine schedule. However if a basic design flaw is discovered it is the responsibility of the manafacture to recall the product and fix it at their cost. Example Ford about 15 years ago recalling a whole bunch of cars that had holly carbs fitted that failed and could result in a fire. Mercedes Benz recently recalled an obsolute model just because they thought that a brake line might give some problems. If a company was to make anything from a car to an eletric jug that proved unsafe it MUST BE RECALLED and repaired/replaced at the companies cost! How does MS get away with their pratices?

Collapse -

Still not quite right

by Cactus Pete In reply to Not quite right with the ...

MS doesn't cause you harm with what they sold you during your normal casual use ... unless someone else outside deliberately tries to harm you.

So, to make your analogy work, someone would have to be delierately taking advantage of the errant carb.

Collapse -

Ok lets forget cars and concentrate

by HAL 9000 Moderator In reply to Still not quite right

On the real issue here and thankfully I was not the first to use the car analogy. Lets for argument sake say you have a Hard Drive that you bought twoo weeks ago and it started developing Bad Sectors wouls you simply grin and bear it? Or would you want it replaced? I can gues your answer to that one! Anyway any manfactured good must be of servicable quality and they all have a garantie yes even MS products but here the main culprit is not so much the software but the Operating System. Just why is it acceptiable for MS to put out patches that you have to download and install at your risk when every other manfactured good has to be repaied by the maker for free? The most they can charge you is to pick it up if you don't want to return it to where you bought it from. And yes while it is unlikely that a faulty Operating System will actually kill {unless you have a heart attack when it falls over} it can however do something much worse it can send you broke! While there no real problem in a normal home enviroment as these computers can go weeks without being used in a business enviroment this is a totally different story and every business relieies on their computer to continue to service their customers, send out bills, and make records of every other action undertaken by the business. These business simply can not fuction without their computers and MS do sell manfactured goods namely Operating Systems to these business. So Again exactly what is the difference between a MS product and a product from any other maker? And MS actually do make all the various forms of Windows. And why should MS be treated differently to any other company? Don't you think that there is just a little bit of a double standard here?

Collapse -

scrap the analogies

by Cactus Pete In reply to Ok lets forget cars and c ...

Well, you left a lot to be assumed in your HD analogy. If it was a $50 HD, that was about 20GB and it developed 2% bad sectors and no more, then I would accept it for what it was. If it were intended to be a business critical drive - and for some reason was the only one purchased - I would have made sure to spend more money on a higher quality drive. In which case, if it started losing 5% of its sectors, you're damn right I'd return it.

But things mechanical cannot be directly compared tothings intellectual.

The arguments here flit between being mad at the quality of the product to the quality of the business practice of Microsoft. I propose everyone choses which they argue and stick to it, or even a combination of the two - butstick to it.

Anyway, people need to remember that MS [or anyone else] cannot provide a totally secure and crash-free product that works with all other third party products and future technological developments. And don't forget how everyone whines about backward compatibility.

Accept the fact that all parties involved are responsible for security. It's not like MS has abandoned the idea.

Collapse -

My security manifesto

by LordInfidel In reply to Who's responsible for sec ...

What came first, the chicken or the egg?

That is really the question when it comes to security.

MS is responsbile to make sure that their source code is secure. Same with other software providers.

The hardware vendor is responsible that their drivers are secure and stable.

The sys admin is repsonsible for making sure that the machines are installed properly and secured.

The fwl admin is responsible for making sure the network is secured.

The ISP's are responsible for effective monitoring and precautions at their borders and within their networks.

But, their has to be a "the buck stops here". It is the responsibility of the security officer to make sure that their network is secure. That includes testing all software installed. Regardless of who it comes from.

As long as the vendor identifies a vulnerability in their software and supports a patch to fix it. Then they have done their job.

It is up to the admins then to apply the fix.
It is also up to the admins to take appropiate security measures prior to a machine being connected to the net.

If an admin does not follow standard security practices and relies solely on the software vendors for their security. Then it is the admins fault.

Collapse -

There's More To It Than That

by support In reply to My security manifesto

The patch most not only be posted, but it must also work. By "work" I mean it must solve the problem it is supposed to address and not break anything else.

Case in point - MS just recently pulled an NT patch from their site which caused many servers to crash unpredictably until the patch was removed. Simply publishing a patch is not the limit of the vendor's responsibility. In the meantime, if the relevant vulnerability is exploited on those machines it still is NOT the fault of the admin for not patching.

I lost a test server to this patch (and to others, granted) and have had to make the calculation many-a-time: do I roll it out to production or not? Patching servers is a crap shoot at best, and sometimes you just gotta have faith. But sometimes you just can't afford to leave the fate of a system up to the whims of the server gods.

I have a life, and I don't relish staying late to rebuild a system because the patch won't back out. I don't relish coming in on the weekend either - I've worked hard for the last 5-6 years to make my domain rock-solid reliable so that I can see my wife and kids on a regular basis.

Those of you who have time to burn have your own priorities. My priorities are different. My (production) servers aren't broken, and I want them to stay that way. It takes time to keep up with the latest vulnerabilities and I still take the time to keep up but the truth is I do have other things to do, like trying to make sure our business continues to make money and I continue to draw a salary.

I'm in no rush whatsoever to bring my network crashing down around me. Furthermore, I don't think I *should* be in such a great hurry to do so either.

Collapse -

That's not the issue though

by LordInfidel In reply to There's More To It Than T ...

The issue is, who is responsible for security.

It goes without saying that if a vendor publishes a patch that it should work.

But that's not what we are talking about.

The matter at hand is, does the vendor have a resonsibility to hold the admins hand and make sure that their systems are secured.

I say no, because there is different levels of security. No one area can be governed by another.

(I've started on my cissp, so I have a different outlook on the "buck stops here" for responsibility.)

Security of a network rests with the Security Officer. A network just does not consist of the OS. There are lot's of different levels to it. And each level has to be secured.

Which is why "security-in-depth" is preached. Youcan not just rely on the firewall. And you can not just rely on the OS. And you can not just rely on passwords.

But in this "exact" scenario of the sql worm. A properly configured firewall would of have blocked the worm from entering. Regardless of whether or not the system was patched.

Back to IT Employment Forum
96 total posts (Page 1 of 10)   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums