Security posts are always interesting to me, and this one on Tesco security is no exception. It's an analysis from the outside of a number of problems that are blatantly obvious with the way Tesco deals with passwords for their web systems. A great read, one that even your managers might use to better understand why some security processes should be followed. Developers certainly should read this as well, and I'd recommend this as one post to pass around.

There is one point in the piece that I want to talk about.  In the post, Mr. Hunt mentions that the server software and development platform in use are old, 7 and 9 years old respectively. This section rightly points out that these technologies have been vastly improved, and security has changed. The company should have upgraded.

Or should they? Obviously if they were really worried about the security of their systems they should have, but how often do they upgrade? When is the upgrade treadmill from software vendors a costly path with little benefit and when is it really necessary? I'd argue that some of the security issues in software should be back ported and fixed. After all, vendors sold these products with the promise they'd work and be supported. Microsoft offers 5 years of mainstream support and 10 years of security support, so at least for the web server, Tesco should be OK.

I find myself torn on this issue. I certainly understand that software companies need to sell new versions of their products to maintain their businesses, but I also think they bear some responsibility for the security worthiness of their previous versions. Where and how we draw this line, I'm not sure, but I certainly don't think the answer is as simple as "just upgrade."