ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Flaws don't die - study

Published: 31 Jul 2003 08:40 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A study of Internet security flaws showed that for serious issues, half the vulnerable systems remain unfixed after 30 days.

The data -- released on Wednesday at the Black Hat Briefings security Conference -- also showed that some flaws don't completely die out over time but actually make a comeback. The vulnerabilities exploited by the Code Red and SQL Slammer worms, for example, are allowing those threats to reassert themselves on the Internet, said Gerhard Eschelbeck, chief technology officer for vulnerability-assessment company Qualys.

"There is something going on that is bringing vulnerabilities back to life," Eschelbeck said, adding that the main theory is that companies continue to install systems that include out-of-date software.

The study, which correlates nearly 1.5 million scans done by Qualys over a year and a half, underscores the need for customers to be more proactive about patching systems and for software makers to weed out vulnerabilities during development.

The more serious the vulnerability, the quicker the companies patched it, the study found. Companies took longer to fix flaws thought to be less serious -- as much as 60 days longer -- by which time, in 80 percent of the cases, security researchers and hackers had released programs to exploit the flaws.

The data seems to support assertions by the Organisation for Internet Safety that companies need time to fix flaws and patch vulnerable systems.

Security researchers also attacked software vendors' seeming inability to eradicate the most serious bugs from their applications, saying that was a key problem in dealing with server insecurities.

Mary Ann Davidson, chief security officer for database maker Oracle, said her company takes good software seriously, but that many other companies still haven't learned the lesson.

"If you (a software company) do the math and you are serious about your reputation, you have every incentive to treat your customers' systems as if they were yours," Davidson said.

Davidson said better quality could come about through government requirements that call for federal purchasers to go with certified software.

"If the government is serious about demanding secure software, then the industry is going to have to change and provide it," Davidson said.

Davidson added the private sector should take a similar tack.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Kyocera

Did you find this article useful?
64 out of 138 people found this useful


Talkback

Post a comment


Full Talkback thread

1 comment

  1. Having a good policy is merely a text book where e... VL

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

FIX CONNECTIVITY - LONDON - PERMANENT

FIX Support Engineer with strong client facing skills required for a leading boutique financial software organisation. An in-depth knowledge of FIX ...

Senior QA (Quality Assurance) Officer, Biopharmaceutical Company

Senior QA (Quality Assurance) Officer, Biopharmaceutical Company, Staffordshire/Oxfordshire Senior QA (Quality Assurance) Officer: My client is a ...

Fidessa Trade Floor Support, Fidessa, FIX, Equities

Fidessa Trade Floor Support, Fidessa, FIX, Equities An Investment Bank is looking for a Trade Floor Support Analyst to join their Equities team. ...

Featured Talkback

What was achieved there is recognised to be of fundamental importance to both winning the war (Churchill visited to say 'thank you' to them) and the development of the computer. Maybe Bill Gates doesn't want to support this museum because it underlines where electronic computing started i.e. here, not the U.S.

By: 1000103773

Read full story:
Bletchley Park faces bleak future

Sentry Posts Blog

Biometric devices. Do you need one?

When saying “biometrics” I am not thinking about law enforcement, AFIS systems, national ID and visa projects. I first think about personal solutions that will make my life easier.... More

1 comment

Barracuda launches counter-suit agains...

Court cases are never pleasant or simple. The ongoing battle between security companies Trend Micro and Barracuda Networks took a new twist on Wednesday, when Barracuda launched a counter-suit... More

Post a comment

Mobile Speed Demon: Wireless Surpasses...

Mobile Speed Demon: Wireless Surpasses Landline Author: Eric Everson, Founder MyMobiSafe.com As I look around my house and throughout my network of friends, I instantly realize... More

Post a comment

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers