March 25, 2014 at 8:28 pm
Comments posted to this topic are about the item The Endless Upgrade Cycle
March 25, 2014 at 11:23 pm
I come down firmly against the business in this case; as a huge company it has no excuse to be penny pinching.
IMHO the problem will stem from management. They treat in-house applications as if they were simple turnkey consumer products, and budget for technology with fixed one-time costs rather than recurring costs that increase in line with their revenue.
This is the unspoken SDLC:
- Throw tonnes of money at software developers to get the application built.
- Mission accomplished, contracts over, everyone moves on.
- Retain a skeleton crew, likely a single person re-tasked from an unrelated field in the organization (IT).
- Forget everything. They did everything by the book and a scapegoat is in place.
- Management updates their resume with this as a success and leaves for somewhere else.
- Years pass. One day the system fails, and it's big enough to be noticed.
- New management puts out another contract for a new system, being especially cautious, because they were "screwed" by the last team.
There are some variations to the anti-pattern. For example, they may retain the most useless contractor who worked on the project. Or, maybe even the most useful, but then bog them down with so much red tape that they literally could not make the password change without being criticized by management and losing their job.
It always comes from management. Always.
Hey maybe I should rename myself Cynical DBA! I can be like Scary DBA but much more easily upset ^^
March 26, 2014 at 2:56 am
Really interesting article. We have used tesco for home delivery of groceries in the past. I have always thought that there website sucked and was prone to crash when too many people using it. I could never understand this as I thought a big complany like Tesco would invest heavilly. After reading how outdated their kit is this now explains a lot.
I wonder how many other high street brands which are now big on the internet side suffer the same sort of issue.
While I can understand companies not keeping up with lastest software versions running a website like this on 11 year old technology must be a big risk. Perhaps a management consultant has calculated the risk against the cost of upgrading and recommended it is not worth it. :w00t:
March 26, 2014 at 3:47 am
Like functional testing, documenting and performance testing I guess security was an afterthought too. Unprofessional.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 26, 2014 at 7:00 am
I might not get it 100% right on this but I feel legislation are failing to this, at least from what I've seen.
Often I see that disclosing vulnerability could end up the person discovering it being sued even if it was with the good intention of helping securing the website / software.
Having legislation in this way, I don't see why companies will "throw" (from their perspectives) money at something they can sue you over. They can easily says "Laws prohibit you to discover security issue" (even if the company implemented it all wrong, to stay polite) They already have lawyers working for them. It will be another case with a possibility to make more money and still run vulnerable software at lower cost for them.
Although I recognized that not every vulnerability can be found, a bare minimum CAN be done. As the author, Troy, showed in his article, having something like "having a certificate, always running into https in a user logged account, one way encryption only, etc" could be a basis. The company followed the bare minimum rules it was required by the law and you're hack? Well this open the way for the company to sued. Not have done those required by the law, the company can be sued by customers to avoid implementing the basic law obligation security practices.
The main point about this is: companies won't make a move if they are backed by laws and will almost implement the bare minimum to get the job done and take the chance that it won't go wrong. In other words, if they saved more money with bad security measures they will still go that way.
There's a lot more to refine but this gives a rough idea.
I always remember that: "Money talks"
March 26, 2014 at 7:27 am
This is going to become more and more of an issue as more and more things are stored on servers with different types of software all intertangled together. At what point is a software company supposed to be held responsible for a security hole becomes a big question? 8 years, 10 years, 12 years.... Look at the reports of how many ATM machines are still running XP as their operating system, and 22% of the entire PC market is still running XP.. and that is just one operating system... think of all of the software that companies run... SQL Server, Oracle, IIS, Apache, Office,Weblogic, .Net, Peoplesoft, EBS, and on and on and on....
Hey, I just think now how many different apps we have databases in SQL2008 and in less than 5 years that version will be no longer on extended support from Microsoft. I know many companies running large systems on Win2003/SQL2005 that still don't have any plans to upgrade. We still have a few dbs in SQL2000 yet which are set to be upgraded to SQL2008 next month to end this two year upgrade project. Funny, once we are done with this upgrade we will be two versions behind already... :w00t:
March 26, 2014 at 8:15 am
skanker (3/26/2014)
While I can understand companies not keeping up with latest software versions running a website like this on 11 year old technology must be a big risk. Perhaps a management consultant has calculated the risk against the cost of upgrading and recommended it is not worth it. :w00t:
I agree - running on technology that old is risky.
I hope there was some sort of risk assessment performed as well.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 26, 2014 at 8:34 am
SQLRNNR (3/26/2014)
skanker (3/26/2014)
While I can understand companies not keeping up with latest software versions running a website like this on 11 year old technology must be a big risk. Perhaps a management consultant has calculated the risk against the cost of upgrading and recommended it is not worth it. :w00t:I agree - running on technology that old is risky.
I hope there was some sort of risk assessment performed as well.
I feel that the risks are all in areas that commonly get ignored: supportability, security and maintainability.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 26, 2014 at 9:45 am
I think there is definitely a good argument to be made about software being patched/supported longer, or moving more to licensing models with ongoing support and new versions, rather than a buy/patch/upgrade cycle.
I'm not sure that this case is the best example of it. For a major e-commerce site, especially one bold (read: stupid) enough to proclaim 100% security of information, there is no excuse for not staying up to date. I don't think its unreasonable to expect them to bear those costs. And is it the cost of the hardware/software that kept them on the old versions, or simply the effort needed to migrate and a fundamental lack of understanding of why it was important?
And in the meantime, I think big security holes in IIS or the .net framework would be tough things to patch on "existing" versions. To keep it on the same framework version, the patch would need to not change any documented behaviour, or you'd need to "migrate" code to the patched version. And while I know little about IIS, it seems to me that when you look back 10 years in internet versions, the design problems making it insecure could be pretty fundamental to both the server and OS design.
So while in principle it would be nice to see better support of a previous purchase, in the realm of something as rapidly evolving as internet technology, I'm not sure how feasible it would be.
March 26, 2014 at 9:54 am
Megistal (3/26/2014)
I might not get it 100% right on this but I feel legislation are failing to this, at least from what I've seen.Often I see that disclosing vulnerability could end up the person discovering it being sued even if it was with the good intention of helping securing the website / software.
+1000!
Companies have no reason to invest in security, especially when they can invest in politicians at a significantly reduced cost!
March 26, 2014 at 12:10 pm
Maybe a standards entity like the ISO can come up with an extension to the SDLC as it applies to security? Something like that? Maybe it already exists? If companies like Target, who find themselves on the wrong end of a class action lawsuit, could convince a judge and/or jury that they adhered to some kind of industry standard for their customer facing software it might go along way in mitigating their risk. I would image that any standard would provide some general guidelines as it applies to upgrades. I just don't know if the ISO could do it without over-specifying it and making it unworkable. Great topic.
March 26, 2014 at 1:32 pm
I'm torn too. Gone are the days when an application could be developed and used for many years. Vendors can force-feed product version upgrades as the only means to be secure (i.e., patch bugs). And versions come out faster and faster. So, in addition to handing money over for assurance, you also need to spend a fortune to upgrade and redeploy applications that depend upon the product. No business process ROI - just the patches.
The development and production environments are in a continuous upgrade cycle that is getting ever shorter. Is there another platform option that's more stable? Are we are being manipulated into buying cloud services where we don't have to deal with this?
RandyHelpdesk: Perhaps Im not the only one that does not know what you are doing. 😉
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply