AusCERT 2004: Make better software

Australian businesses are still struggling with critical elements of security, such as patch and configuration management, and developers need to improve products, according to AusCERT general manager.

Only five percent of respondents were confident they were managing computer security issues "reasonably well", AusCERT's 2004 Australian Computer Crime and Security Survey stated. This represents a drop from last year's 11 percent.

Changing user attitudes, keeping up to date with threats and configuration management were the top three aspects of security businesses cited as most problematic, at 65 percent, 61 percent and 56 percent respectively.

AusCERT general manager Graham Ingram was not surprised and called on developers of software to lift their game.

"With patch management the issue is one of volume because of the sheer number and seriousness of patches. The time between when the [software] vulnerability is announced to the time a patch for the vulnerability is available has narrowed," Ingram said. 

"It is no longer practical to do best practice in terms of keeping pace with patch management. System administrators have a choice: They can fully test a patch to see whether it will break the systems or they can let the worm come through." 

"There are two sides. There are those deploying the systems and there are those making the systems to deploy. Those that are deploying systems are doing their bit in making an effort in terms of security but are fundamentally held back by those making systems to deploy," he said.
 
"We know the code is inherently insecure. There is a saturation level for people in patching. "[Businesses] can't keep up with the pace," he added.

"A lot of vulnerabilities are found by research labs -- not hackers -- who say they are doing a service to reveal there is a vulnerability," he said. "However once you get to a volume issue with patching ..."

"You are feeding the attacker community with information on vulnerabilities," Kathryn Kerr, survey author, finished. 

Asked AusCERT's stance on full disclosure of vulnerabilities, Kerr -- AusCERT's analysis and assesement manager -- said "disclosure is an issue at the volume and pace it is occurring."

"It is as much as an issue in open source as it is with vendors of proprietary software," Kerr added. "Open source advocates argue that because it is open it is more secure as more eyes can scout out more vulnerabilities and fix them. But when you look at figures that doesn't add up."

One reason, Kerr said, is that Microsoft, as the world's biggest software vendor, is a more attractive target for vulnerability scouts and attackers alike. 

"Microsoft is the most used software on the planet. It makes commercial sense that vulnerability researchers will look for flaws and make patches available for Microsoft's products," said Ingram.

Ingram said while Microsoft is generally being acknowledged as moving forward, and its later products, such as Microsoft 2003 and IIS are significantly better for security, the software vendor's huge legacy base is its biggest problem.

"Microsoft is moving forward but the millstone around their neck is legacy base of products to deal with as well. There are businesses out there still running NT4. There is no quick fix."

For business, Ingram said "the deployment and growing dependence on IT is outstripping our ability to protect it."

Siobhan Chapman travelled to AusCERT2004 on the Gold Coast as a guest of AusCERT.