It’s hard to be too cynical about the security practices of software vendors: even those selling “security” solutions. Although most Irreal readers probably know a lot more about good security practices than the average user, security is a difficult discipline requiring specialized knowledge.
That’s why, even we aware users, rely to the specialists. In practice, for most of us, that means we buy prebuilt solutions from companies with a good reputation. After all, security is their business so they’re mostly going to get things right.
Like most of you, I’m a developer and understand that there will always be bugs but we expect that the professionals will produce products that at least cover the basics. What, then, to make of the first article in this newsletter? Hardcoded credentials in a security product? You must be kidding.
Sadly, they aren’t kidding. This isn’t the first security screwup on the part of Solar Winds. You have to ask yourself why they have any customers left. This isn’t some esoteric hack that slipped in around otherwise sound protections. It’s hard coded credentials, which are probably the lowest of the low hanging fruit for cybercriminals.
Things like this are exactly why Bruce Schneier recommends using open source for your security products. You never know what’s hiding behind that closed source. Yes, as a practical matter most of us aren’t going to read that source but someone will and this sort of thing will get discovered sooner rather than later.
Of course, nothing will happen. Their customers will shrug and the most you can expect from Solar Winds is that some low level engineer will get fired as a sacrificial lamb. What should happen is that the CEO should fall on his sword and if he doesn’t, the board should show him the door. This kind of thing simply isn’t acceptable today. It hasn’t been acceptable for the last 30 years, at least.