Security supply and demand

It’s easy to point the finger at Redmond when Microsoft products fall vulnerable to exploits and attacks. But according to Russ Cooper, senior scientist at IT security company Cybertrust, consumers play as much a part as engineers when it comes to building safer systems.

InfoWorld: Who is to blame for security flaws in Windows applications: Microsoft or ISVs?

Russ Cooper: Remember SUV tires? Whose fault was it: the auto manufacturer, or the tire manufacturer, or the consumer? The fact was that consumers wanted vehicles that were top-heavy, and they got more use out of tires that were under inflated. Ultimately the dealers underinflated the tires, the manufacturer provided tires that might run better underinflated, so everybody’s culpable. But it comes down to what consumers want.

IW: Are you saying that SP2 [Service Pack 2] reflects a changed consumer attitude?

RC: No, unfortunately not. It represents a consensus amongst consumers and security professionals about how much restriction we can put on standard functionality without ticking off the people who don’t care about security. It’s neither as convenient as consumers would like nor as secure as security pros would recommend.

IW: Is Microsoft really changing?

RC: We are seeing a real cultural change, but there’s no history to back it up. The SP2 deliverable represents a dramatic shift. … We see [Microsoft] doing things they would never have done before, such as increasing support cost to provide security and recognizing that security will affect product sales. Will this shift be permanent, or will they flip back to feature-driven mode? We don’t know.

IW: Are you more optimistic lately?

RC: Yeah, definitely. Clearly Microsoft is doing things I have asked them to do for years. I’d be a fool to say I’m not happy about that.

IW: What’s the next step?

RC: They have to get more aggressive about end-of-lifing the older systems. Certainly they represent a huge investment by corporations, and lots of business-critical apps require legacy functionality, but Microsoft has to put a stake in the ground. At some point, we have to say we’re not going to allow steam engines on the road anymore.

IW: Any final advice?

RC: Get SP2 installed. There’s no rush, but do it. Realize, though, that apart from user education — which is valuable — we’re not going to see the direct benefits of any of this for years. Also realize that consumers are the ones affecting us the most. Whatever we can do to improve their environment will make our lives simpler because we’ll have fewer things attacking us. Talk to your service providers as well, and find out if they’re doing anything to prevent you from being attacked by their customers. And if not, ask them why not.