Security: Patch works

The words 'a load of hot air' aptly sum up Code Red, the last major e-commerce scare to induce panic. But, says Davey Winder, it...

The words 'a load of hot air' aptly sum up Code Red, the last major e-commerce scare to induce panic. But, says Davey Winder, it did make ESPS think about how to avoid future security embarrassment.

When I wrote this, I couldn't help but want to scrawl graffiti there on the toilet walls at Microsoft HQ in Redmond US. "Here I sit, not broken-hearted, Code Red hit but the threat had departed" might have been an apt motto.

Although UK media coverage was pretty high profile with lead TV news stories and columns in the tabloids and broadsheets alike, it was nothing compared to what happened over in the US Code Red warnings appeared everywhere, so much so that a number of people assumed it was hype for a forthcoming movie release!

FBI officials warned on TV that the Internet was facing meltdown, and it was claimed that the cost of both 'shoring up Web defences' and 'cleaning up after Code Red' would exceed $2bn.

This was a classic case of hype but made worse because it came from Government officials on the day before the Code Red worm was due to strike and when patches had been available for many weeks prior.

The cynic in me suggests that it's not a good tabloid news story unless a measure of panic can be attached - and you only get that right at the last minute.

Davey's dilemma
In actual fact, Code Red and its successors seems to have caused the same catastrophic e-commerce disaster as the Y2K bug - pretty much minimal, and the hysteria probably did avert a small crisis with most people installing the MS patch and protecting their servers.

The dilemma, then, is the choice between attempting to instil a security strategy in the core of e-commerce implementations or leaving it up to the media and the hope that IT managers are watching News at Ten. Can an ESP provide a client with its e-commerce solution, patched to the hilt on sign-off day, and just walk away? The answer is yes it can and must, unless it provides a security service as part of that contractual obligation.

The best ESPs can realistically hope for is that clients have the sense to appoint someone with security responsibility who checks for, and installs, server patches regularly. At least that way, when the next Code Red, Nimda or Dogswot strikes it won't be ESPs that get the blame for not doing their job properly, but rather the 'security manager bloke' or Microsoft.

And the moral of this tale?
An ESP can never claim that an e-commerce implementation is 100 per cent secure against future threats, but unless it does everything in its power to make 100 per cent secure against existing ones then it is not doing its job properly.

Trend spotting
At last it looks like Web application servers are coming of age. This is good news for all ESPs wanting to build out a solid solution, yet we are being told that J2EE compliance is a given, when experience suggests otherwise.

Yes, standards-based Java architecture for application servers is vital for the high-end enterprise strength solutions, but in the SME marketplace where clients are looking for the biggest bang per buck, bottom line says J2EE is an expensive frippery.

So if an ESP is not specifying something along the lines of an IBM WebSphere Enterprise solution, where does it look for a mature, solid and easy to implement alternative that won't break the budget and will keep both client and development staff happy?

Macromedia ColdFusion is the obvious answer. Anyone who can manipulate HTML can get to grips with ColdFusion, thanks to its use of ColdFusion Markup Language (CFML), an extensible tag-based language of similar proportions. Most developers will stick with the solution they know brings solid simplicity and equally solid developer community support.

Metric of the month
It's been a bad year for e-commerce with the disasters, tech stocks tumbling and plummeting profits. But analysts such as Datamonitor and BizRate were optimistic and said this was about to change. They predicted that the total US e-commerce revenue for 2001 would hit $38.7bn, while the last quarter would show a picking up of some 34 per cent to $12.4bn. But what a difference a day makes, as the disaster in the US proves. No predictions this month.

Davey Winder is a consultant specialising in Web site usability issues

Read more on IT legislation and regulation