Five ways that software vendors can boost security
Is your software vendor doing everything it can to secure its products? As Sun Microsystems Inc. learned this week, there is always room for improvement.
Sun changed the way it releases security updates to its destkop Java SE (Standard Edition) platform this week following pressure from customers and security experts like Marc Maiffret, chief technology officer with eEye Digital Security Inc.
Maiffret had blasted Sun a few months ago for releasing Java fixes to developers ahead of regular users -- a practice that he said could give the bad guys a golden opportunity to reverse-engineer the developer code and uncover new ways of attacking Sun's 800 million Java SE users.
With Sun now pledging to release all of its Java SE updates at the same time, IDG News Service asked Maiffret what suggestions he'd offer the software industry on improving security. Following are his top five tips:
1) Make it easy for the hackers to tell you what they know. According to Maiffret this is the number one way to improve your relationship with the security community and it's easily done: "Have the secure@ and security@ e-mail addresses listed under your contacts page or some sort of security landing page," he said.
2) Do what Sun did. Make sure that you fix the bugs in all of your products at the same time so you don't accidentally hand over security details in code that could be reverse engineered and then used to attack customers who haven't yet been given the fix.
3) Make sure there is a very straightforward way that the customer is notified of security fixes -- either via e-mail or through the product itself.
4) Separate security updates from feature updates. This is especially important for consumer products. "A lot of times you'll have a vendor trying to tell you, 'You want this new photobook album functionality?' and you'll say, 'no' without realizing that it actually contains critical security updates," Maiffret said.
5) List your upcoming security fixes as soon as you've identified a new issue. Yes it may make for some bad PR at first, but by notifying users as soon as a vulnerability has been verified, you document your ability to patch the problem "When you have that public timeline, it actually allows customers to see if someone's taking too long so they can put pressure to have it fixed more quickly," he said.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
