Software Insecurity – Don’t Blame Microsoft

Reporters and analysts covering the technology industry have one thing right: The insecurities that lurk within software represent a legitimate threat to commerce and potentially even national security.

But it’s time to stop blaming Microsoft.

For one thing, it’s much too easy — and a far too black-and-white worldview. If you’re a Red Sox fan, the Yankees are the Evil Empire. If you’re not — like most people on the planet — the Yankees are simply better than anyone else. The software analogy is self-evident.

The real risk isn’t Microsoft’s alleged inability to write good software. The risk is spending so much time demonizing the company that the true vulnerability goes unchecked.

The Real Risk

If I’m a code-packin’ bad guy, of course, I couldn’t be happier about the world’s fixation on Microsoft. That singleminded focus means the heart of the matter is being overlooked. The core issue is, in a nutshell, very simple and far worse: All software and all technology is inherently vulnerable.

I’m an experienced software engineer, not a Microsoft apologist. Moreover, my company makes a living patching the holes in Microsoft operating systems. In a manner of speaking, their lemons are my lemonade. But the pile-on occurring in the press and the software community is neither justified nor smart.

Yes, Microsoft “owns” 90 percent of desktops, but what about everything else — the routers, the databases, the middleware, the massive corporate ERP systems, the VPN boxes, the firewalls, the Unix and Linux servers, the mainframes, the PDAs, the computer-controlled manufacturing equipment? Last time I looked, most CAT scanners weren’t run by Microsoft, yet they are as vulnerable to a software mishap as an NT server.

Our nation’s IT infrastructure is a cosmos of software and hardware of almost incalculable complexity. Not one single piece of technology that you use today was conceived to operate flawlessly in an environment that is about as predictable as a supernova.

A Universe of IT

Many networks have evolved and diversified to a point at which organizations simply don’t know what equipment they have and where it is. Even if they do, it’s virtually impossible to keep track of the infinite permutations of settings on each machine.

Now factor into this equation those enterprising users who just can’t resist tweaking their machines. To an IT manager, they’ve gone rogue, innocently or maliciously installing applications, altering device settings, failing to use their virus scanners. For whatever reason, they’ve turned complexity into chaos when it comes to stopping a bug or even conducting a simple departmental software upgrade.

It’s time again to ask: Is Microsoft really the problem here?

I say we each take a look in the mirror.

Spotty Patchwork

According to data from the FBI and Carnegie Mellon University, more than 90 percent of all security breaches involve a software vulnerability for which a patch is available but uninstalled. Even the Slammer and Blaster worms could have been prevented by installing a patch that was available in advance of the worms’ genesis.

The simple act of updating computer software with readily available patches would stave off most viruses and worms. Windows comes out of the box with a simple and almost-automatic function for grabbing software patches from the Microsoft Web site and installing them with the click of a mouse.

Once again, the problem is complexity — and, to be honest, human nature. Most people just don’t bother to patch their system. It seems like a hassle, and to some degree they’re right to worry about what could happen when a new knot of code is tossed into the Windows registry, which already resembles a rugby scrum.

Practicality of Patching

On the enterprise level, it’s not only impractical to expect thousands of users to patch systems manually; it’s also often against the company’s IT policy. The reason is that not all software patches are critical — that is, needed to close a virus-friendly loophole. Beyond that, any new piece of technology added to an interdependent system can potentially conflict with some other element in the system. The other day, I installed a wireless networking card in my computer, and the scanner in my office stopped working.

Also, patching is very time consuming, like most manual tasks. Research firm Gartner estimates that technology professionals now spend up to two hours of their day, every day, managing software patches.

Welcome to chaos theory.

Expect Victory, Not Entropy

The best we can do is maximize the theory and minimize the chaos. That’s why all of “this” isn’t Microsoft’s fault, or Sun’s (believe it or not, Sun issues more software patches per week than Microsoft does), or Oracle’s, or SAP’s or — well, you get the point.

Yes, every one of these companies can do an incrementally better job with each and every product it brings to market. But these are not steps toward perfection. There is no such thing as perfection. Companies’ new products each add a new sliver of complexity into the mix.

This is not an argument for expecting less from software vendors; it’s a plea to expect more from ourselves, the users, and the role we play in keeping our systems up to date and healthy.

Alex Bakman is the CEO of Ecora Software, a configuration management software company based in Portsmouth, New Hampshire. He can be reached at [email protected]

Note: The opinions expressed by our columnists are their own and do not necessarily reflect the views of the E-Commerce Times or its management.

1 Comment

  • But shouldn’t that go for all operating systems and third party software?
    I know that many other software vendors are just, if not more, suseptable to buggy code but they all play by the same rules: it’s partially upto the user. Not entirely though. If windows wasn’t so aimed at the average user, the userbase would have to be a little more technically savvy, and would know to upgrade and patch their systems. If it was made clearer on how to go about this then less technical users wouldn’t have a problem doing it. As it is though, I doubt most people in my house, for example, would know _what_ to do about a patch, nevermind try and go about it. Until users are educated on basic security issues and how to maintain a certain level of security they wont do it and microsoft in particular will continue to get bad press. It’s not nice or fair but it will happen. At least it’ll be interesting to see if microsoft manage to resolve this issue.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels