Why should Microsoft take the blame for bad programming?

There’s been reports in the news about half a million Microsoft websites being hacked. Everything is being blamed on IIS when in actual fact it poor programming by the developers of the websites.

It stems from a type of attack on the websites called SQL injection which is actually related to the database layer rather than web server as seems to be reported everywhere.

The automated attack takes advantage of the fact that databases aren’t locked down by default therefore allowing the SQL injection to perform tasks inside the database that really shouldn’t be allowed. Best practice for database development should include anticipating possible different types of attack including SQL injection therefore employing defensive programming technique. In addition the database user to be used by the web application should ideally be locked down to only allow the minimum access allowed.

SQL injection attacks aren’t just limited to Microsoft databases so it should really serve as a warning to all programmers.