Old security issues have carried over into the fourth annual list of the Top 20 vulnerabilities, published last month by security organization SANS. The list, which details the top ten Windows and Unix/ Linux security threats, had a number of categories brought forward from the previous year's list. Explanations for this ranged from vendors' inadequate performance, to poor IT schooling.
In line for most criticism were vendors. "They got us into this state," said Alan Paller, SANS research director. He went on to say that purchasers should demand software is certified to be proof against the top 20 vulnerabilities.
The vendors have returned fire. Despite recent criticism of Oracle's patching processes, a spokesman claimed the company "offers the most widely tested software."
If programmers are causing the problem, does the origin lie in educational institutions? "We gave a couple of US colleges a test, asking for simple programs that were secure", said Ross Patel, editor of SANS Top 20. "We found the students writing for functionality rather than resilience. And that has to be addressed."
Patel suggests an accreditation scheme for educational institutions as a solution. But Ross Anderson, Cambridge University's professor of secure engineering, disagrees. "I don't advise working towards an accreditation scheme." Ultimately, said Anderson, responsibility must fall on the vendors: "In the same way that banks can dump security failures on their customers, vendors dump their errors on users."
When vendors do tackle their errors, it is through the often cumbersome process of patching. "But only about 50 percent of people patch," said Paller.
