SANS: Pressure on vendors can prevent security woes
Companies are having more success in pressuring software vendors into baking
security into their products, a trend that vendors are resisting less, the director
of research for the SANS Institute
said Wednesday.
Before granting a contract, companies now are requiring that vendors also test
software patches on systems with the same configurations as users are running,
said Alan Paller of SANS, an IT training organization.
Another new trend is groups of companies agreeing on base security standards
for applications and then passing those requirements onto vendors.
"It's using the contracts to shift the responsibility for security upstream
to the vendor where the economies of scale make it [security] cost effective,"
Paller said.
Software makers have fought the initiatives "tooth and nail," but
are coming around, Paller said. "They don't like the users to take control,"
he said. "They want to control the buying process, so they don't like this
idea, but there isn't any other idea that's a good one for fixing these problems."
The requirement comes after companies have struggled with slow patching cycles
and rising risks that come with deploying insecure Web-based applications.
Web sites are rife with security problems: In 2006, the Web
Application Security Consortium surveyed 31,373 sites and found that 85.57
percent were vulnerable to cross-site scripting attacks, 26.38 were vulnerable
to SQL injection and 15.70 percent had faults that could let an attacker steal
information from databases.
"This is a big problem," Paller said. "We've got to get it fixed
in a hurry."
Vendors have typically only tested their software patches on machines in default
configurations, which isn't representative of the real IT world, Paller said.
Many businesses use custom applications with custom configurations, which require
rigorous testing to ensure a patch won't break their applications.
The U.S. Air Force was one of the first organizations that tried a new approach
when contracting IT systems with Microsoft and other application vendors about
two years ago to enable speedier patching, Paller said.
The Air Force's CIO at the time, John M. Gilligan, consolidated 38 different
IT contracts into one and ordered all new systems to be delivered in the same,
secure configuration. Then, he ordered that application vendors certify that
their applications would work on the secure configurations, Paller said.
Then Gilligan took his case to Microsoft. At the time, it took the Air Force
about 57 days between the time a patch was released until their 450,000 systems
were up-to-date. Gilligan wanted Microsoft to test its patches on machines with
the same configuration as the Air Force's, shifting the cumbersome testing process
back to the vendor.
The negotiations, which didn't start off well, culminated with a meeting with
CEO Steve Ballmer. "The story is that he [Gilligan] use a four-letter word
in the meeting," Paller said. "You know what the four-letter word
was? Unix."
Gilligan won. Now, the Air Force can patch in about 72 hours now, and they're
looking to cut that to 24 hours, Paller said. The idea was so successful that
as of Feb. 1, the U.S. government implemented the same conditions for all of
its agencies.
"It's a fascinating time in security in Washington, [D.C.], Paller said.
Another sea-change is under way in security: Training application developers
in security. Traditionally, security has never been a part of computer programming
courses. Paller said he's been making the case for stronger security training,
but in many times received a cold shoulder from universities, who have little
incentive to change their ways -- until now.
Heavyweight IT companies are warning universities that they don't want to have
to send new hires to remedial security training. Mary Ann Davidson, chief security
officer at Oracle, wrote
earlier this month that she contacted the top 10 universities the company
recruits from, saying only those with security training would get preference
in hiring.
That's an embarrassment to universities, which will now likely modify their
curriculum accordingly. Interestingly, developers want security training. "The
programmers want to know what they don't know," Paller said.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
