Finished?
Okay, now let's count the ways she's wrong. You may have to borrow a few fingers from your coworkers to count that high, but we'll try anyway.
In fact, so frequent are these incidents [web-server-attacking worms] that, for many of the victims, just keeping up with the server software fixes seems to be too much to handle.
But, as annoying as such defacements are, in my opinion the more serious threat comes from security vulnerabilities in badly written home-grown Web applications-Common Gateway Interface scripts, server-side executables, active scripting and so forth ... These are the holes that are most likely to expose customer or business proprietary data.
Isn't it wounderful that she's able to predict that with such certainty! I mean, we have a room full of people whose job is to ensure the security of the products we write, but she knows that we are actually the problem here. I guess we should just fire everyone, give copies of FrontPage to our clients' managers, and tell them to rely on the industrial-strength security of Microsoft's products.
Of course, we'll still need those full-time people running each server, making sure the latest patches are installed. And that the new patches don't break anything else. And that the patches don't introduce any new vulnerabilities. Oh wait, since those full-time people won't have access to the source even for the patches, there's no way they can know any of those things excpet through trial and error. Could that be why: (from a [link|http://www.informationweek.com/thisweek/story/IWK20010803S0020|different publication])
In most corporate IT environments, even after a software vendor sends out an alert, the patch job might languish. "Security often takes a backseat to other projects that management deems more important, and the resources aren't always made available to put patches into place immediately--or even within weeks," says a network administrator at a major medical company, who asked not to be identified.
Sounds to me like getting the server software right just may be slightly more critical. After all, changing a single CGI will probably only affect that CGI, or maybe a single application. But having to patch a server because someone hacked it -- or could -- is sure to affect just about everything to some degree.
So much business is moving onto the Internet that we can't wait for evolution to produce better code (an approach that has failed in every other area of software development).
Yes, we're hearing from Jody again. Apparently she's never heard of Linux, Apache, Bind, Sendmail ... Okay, listing all the success is getting tedious. Do these professional pundits and consultants go out of their way to stay uninformed, or is it a conscious effort to disparage anything they can't make a buck on?
So what's her solution?
Remember, security should be baked in, not painted on. Security should be an integral part of your software life cycle process, beginning with design and continuing through development and testing.
Good advice. But is she really suggesting that Microsoft's products have followed this path? Really? I'd like to find a list of her formmer clients. They should be in need of some help after the recent rash of Code Red attacks. I imagine they're getting hit pretty hard, if they actually followed advice like hers.