Bad Culture Bad Security

I ran across a blog noting that Cisco has a vulnerability in a new product. The blog also lists two (one, two) articles showing that Cisco has had hard-coded credentials in the past. I understand that many times a known process is repeated, essentially copy-pasted between people, and we have similar issues as we have had in the past. However, in 2022 or 2023, it's unacceptable to hard-code credentials in digital systems that will be used in today's world.

What's worse than having this issue is stating that the fix is "an upgrade". Their verbiage for those without a service contract is: "Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade." Which, to me, is not only bad for the world, but it's equivalent to the stuff that bulls leave behind in the fields.

I suspect that this product and software were based on something that already exists, and it was rushed out without a good security evaluation. Or perhaps there are developers and managers who don't think that hard-coding credentials will compromise security.

That's a cultural problem. Either you're going too fast, or you don't take this seriously, either way, you don't have a good culture that values quality and protection. Certainly, their disclaimer about needing valid contracts or proving you have a device to get a security patch for a flaw they built is also a sign of a poor culture that doesn't really understand the problems they are creating, nor are they taking responsibility for the issues.

At the very least, fixing their poor security ought to be free and easy. I get that there are likely some software upgrades included in this patch, given the nature of software development and limited branches under support. However, there are other ways to ensure those features aren't enabled for customers who shouldn't have them. Making the entire world of computer network infrastructure less secure because you want customers to pay for your mistakes isn't a model I'd want to adapt.

I know many people don't want more regulation or guidelines from governments (or even from insurance), but if I were going to accept some universal restriction, this would be the place. If you use hard-coded passwords, your product can't be sold and no insurance claims apply if you are sued.

Maybe that would change the way Cisco and others build software.

Validating Password Expiration

by Steve Jones

SQLServerCentral

Steve notes that password expiration is important for SQL Logins, but he knows this isn't always configured when logins are created, or checked later to see if it is still enabled.