A new worm doing the rounds is turning servers running older versions of the JBoss Application Server into botnet drones. The malware behind the attack is significant both because it targets servers rather than PCs and for its reliance on exploiting a vulnerability that is over a year old – a flaw in JBoss Application Server …
This worm hit one of our servers, and the Microsoft-lovers in our server department blamed it on "a broken open source package", rather than "we haven't patched one of our minor servers since Stonehenge was built."
Shows that we have to do our bit as well
I have just finished a series of security awareness presentations in regional offices and highlighted how long it took mobile phone network providers to force people to put a pin on voicemail before it could be accessed from another phone, 4-5 years, i.e. you cannot trust manufacturers to fix security weaknesses in a timely manner.
Red Hat fixed this quickly, but admins failed to patch, so while we can moan about industry being slow to respond, we need to look to ourselves as well. There was probably a false sense of security in that linux is is not often a terget, but these days, everyone is a target and when there is a security patch released, there should be someone applying it.
Yep. The script kiddies go for the low hanging fruit,
but the crafty thugs target tougher stuff because they have the bigger toys.
It could also be that outsourced code is crap.
Some a-hole lies to the headshop about his skillz then the headshop lies to the contract holder about the skill sets their code slaves have on tap. Then someones cousin steals the code off of the Internet and it takes the whole village to make something that looks like it works.
Outsourcing is phenomenally stupid idea. Unless you want to make room for bonus $$$ and want to kill the company.
So you advocate every corporation develops its own office application suite?
Sturgeon's Revelation applies to all programmer and all code, regardless of location. 90% of *EVERYTHING* is crud.
There is nothing magical about in-house developers that makes them immune from making mistakes.