The words 'a load of hot air' aptly sum up Code Red, the last major
e-commerce scare to induce panic. But, says Davey Winder, it did
make ESPS think about how to avoid future security
embarrassment.
When I wrote this, I couldn't help but want to scrawl graffiti
there on the toilet walls at Microsoft HQ in Redmond US. "Here I
sit, not broken-hearted, Code Red hit but the threat had departed"
might have been an apt motto.
Although UK media coverage was pretty high profile with lead TV
news stories and columns in the tabloids and broadsheets alike, it
was nothing compared to what happened over in the US Code Red
warnings appeared everywhere, so much so that a number of people
assumed it was hype for a forthcoming movie release!
FBI officials warned on TV that the Internet was facing meltdown,
and it was claimed that the cost of both 'shoring up Web defences'
and 'cleaning up after Code Red' would exceed $2bn.
This was a classic case of hype but made worse because it came from
Government officials on the day before the Code Red worm was due to
strike and when patches had been available for many weeks prior.
The cynic in me suggests that it's not a good tabloid news story
unless a measure of panic can be attached - and you only get that
right at the last minute.
Davey's dilemma
In actual fact, Code Red and its
successors seems to have caused the same catastrophic e-commerce
disaster as the Y2K bug - pretty much minimal, and the hysteria
probably did avert a small crisis with most people installing the
MS patch and protecting their servers.
The dilemma, then, is the choice between attempting to instil a
security strategy in the core of e-commerce implementations or
leaving it up to the media and the hope that IT managers are
watching News at Ten. Can an ESP provide a client with its
e-commerce solution, patched to the hilt on sign-off day, and just
walk away? The answer is yes it can and must, unless it provides a
security service as part of that contractual obligation.
The best ESPs can realistically hope for is that clients have the
sense to appoint someone with security responsibility who checks
for, and installs, server patches regularly. At least that way,
when the next Code Red, Nimda or Dogswot strikes it won't be ESPs
that get the blame for not doing their job properly, but rather the
'security manager bloke' or Microsoft.
And the moral of this tale?
An ESP can never claim
that an e-commerce implementation is 100 per cent secure against
future threats, but unless it does everything in its power to make
100 per cent secure against existing ones then it is not doing its
job properly.
Trend spotting
At last it looks like Web application
servers are coming of age. This is good news for all ESPs wanting
to build out a solid solution, yet we are being told that J2EE
compliance is a given, when experience suggests otherwise.
Yes, standards-based Java architecture for application servers is
vital for the high-end enterprise strength solutions, but in the
SME marketplace where clients are looking for the biggest bang per
buck, bottom line says J2EE is an expensive frippery.
So if an ESP is not specifying something along the lines of an IBM
WebSphere Enterprise solution, where does it look for a mature,
solid and easy to implement alternative that won't break the budget
and will keep both client and development staff happy?
Macromedia ColdFusion is the obvious answer. Anyone who can
manipulate HTML can get to grips with ColdFusion, thanks to its use
of ColdFusion Markup Language (CFML), an extensible tag-based
language of similar proportions. Most developers will stick with
the solution they know brings solid simplicity and equally solid
developer community support.
Metric of the month
It's been a bad year for e-commerce
with the dot.com disasters, tech stocks tumbling and plummeting
profits. But analysts such as Datamonitor and BizRate were
optimistic and said this was about to change. They predicted that
the total US e-commerce revenue for 2001 would hit $38.7bn, while
the last quarter would show a picking up of some 34 per cent to
$12.4bn. But what a difference a day makes, as the disaster in the
US proves. No predictions this month.
Davey Winder is a consultant specialising in Web site usability
issues