Computer Weekly "CW 360º", © 2001 ComputerWeekly.com Ltd
Code Red: Time for defensive
coding
By Cliff Saran
Code Red may have been a comparative non-event, but the publicity surrounding
the worm that threatened to bring down the Net should act as a call for action
within the software developer community.
Wednesday, August 01 2001 - Estimates from the US
research group Computer Economics suggest the bill for using contracted IT staff
to patch the Microsoft server at risk, IIS, currently stands at $1.2bn (£0.84bn).
Some might wonder whether it is fair to expect users to foot the bill for
a flaw in Microsoft's software. Among the experts who spoke to CW360, the answer
was that Microsoft was not culpable; yet it continues to sell flawed software
to users.
Simon Moores, the chairman of the Microsoft Forums, told CW360 that the Internet
relies too heavily on Microsoft software. "Problems
[such as Code Red] will continue to reveal flaws in Microsoft software," he
said.
Most commercial software is flawed, however, and Tony Lock, a senior analyst
at Bloor Research, said he could not envisage a time when software would be
bug-free.
DK Matai, the managing director of the security firm mi2g software,
said, "The Code Red worm vulnerability amplifies
the argument in favour of open software within large businesses." Under
such a scenario, Matai argues that users would be able to run teams of software
engineers to develop patches in real time as more and more vulnerabilities came
to light.
But it is not just commercial software products that are being targeted. Kenneth
De Speigeleire, the manager of security assessment services at the security
firm ISS, warned that hackers were moving higher up the food chain. Hackers
initially targeted operating systems, but security holes in operating systems
are well publicised and patches are readily available, forcing serious hackers
to look eslsewhere when mounting an attack.
The most serious threat envisaged by De Speigeleire is one of hackers targeting
bespoke e-commerce applications such as online banking.
Worryingly, the same type of flaw, buffer overflows that were exploited by
the Code Red worm, will occur in any type of software, according to De Speigeleire.
"If you look hard enough you will find a buffer overflow error in every application,"
he said.
In De Speigeleire's experience, a skilled hacker would be able to write a
buffer overflow hack for a bespoke e-commerce application in less than three
days. The only indication that someone was trying to hack the software would
be intrusion detection systems catching a hacker continually accessing the application.
The only way to avoid Code Red-type scares is to produce flawless software
- a feat the industry believes is impossible. However, software vendors could
write applications more defensively, assuming someone will always try to break
in, and put in place measures to prevent damage or exploitation.
Modern computer systems have enough spare processing capacity to handle this
type of software development without too much of a performance hit. But the
sheer pace of software development will lead many businesses to cut corners
and continue to deploy applications with hidden buffer overflow time bombs.
And when the software fails, everyone will have to pay the price.