
They're not even being presented with a challenge...
By silicon.com
Published: 31 July 2003 05:46 GMT
A study of internet security flaws has revealed that half of vulnerable systems remain unfixed after 30 days - making life easy for hackers.
The data - released at the Black Hat Briefings security Conference in Las Vegas - also showed that some flaws don't completely die out over time but actually make a comeback. The vulnerabilities exploited by the Code Red and SQL Slammer worms, for example, are allowing those threats to reassert themselves on the internet, said Gerhard Eschelbeck, chief technology officer for vulnerability-assessment company Qualys.
"There is something going on that is bringing vulnerabilities back to life," Eschelbeck said, adding that the main theory is that companies continue to install systems that include out-of-date software.
The study, which correlates nearly 1.5 million scans done by Qualys over a year and a half, underscores the need for customers to be more proactive about patching systems and for software makers to weed out vulnerabilities during development.
The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious - as much as 60 days longer - by which time, in 80 per cent of the cases, security researchers and hackers had released programs to exploit the flaws.
The data seems to support assertions by the Organisation for Internet Safety that companies need time to fix flaws and patch vulnerable systems.
Security researchers also attacked software vendors' seeming inability to eradicate the most serious bugs from their applications, saying that was a key problem in dealing with server insecurities.
Mary Ann Davidson, chief security officer for database maker Oracle, said her company takes good software seriously, but that many other companies still haven't learned the lesson.
"If you [a software company] do the maths and you are serious about your reputation, you have every incentive to treat your customers' systems as if they were yours," Davidson said.
Davidson said better quality could come about through US government requirements that call for federal purchasers to go with certified software.
"If the government is serious about demanding secure software, then the industry is going to have to change and provide it," Davidson said.
Davidson added the private sector should take a similar tack.
Robert Lemos writes for News.com
Basic awareness of computer based vulnerability analysis testing. Moderate awareness of computer based vulnerability analysis testing. You will be ...
The candidate will have existing CHECK (ideally team leader status) credentials, holding security clearances and have experience in most of the ...
award in 2008, they employ over 500 people in the UK headquarters located in Milton Keynes.The Security & Information Architect role will be part of ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Nick Heath Your top HR tech priorities for next year revealed How to make human resources IT work for you
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business