In a roundtable discussion moderated by eWEEK Technology Editor Peter Coffee, some of the industrys top security experts spoke candidly about the ability to secure e-business; the responsibility and culpability of the vendor, IT management and hacker communities; the security challenges inherent in Web services; and how enterprise IT can not only respond to but also stay a step ahead of security problems.
Their verdict? Attitudes are improving, but core problems will take years to fix.
Click here to listen to the audio of the Security Roundtable
Mary Ann Davidson, chief of security, Oracle Corp., Redwood Shores, Calif.
Ed Glover, director of enterprise security and customer engineering, Sun Microsystems Inc., Palo Alto, Calif.
Brian LaMacchia, lead .Net Framework security developer, Microsoft Corp., Redmond, Wash.
Steve Lipner, director of security assurance, Microsoft
Alan Paller, director of research, The SANS Institute, Bethesda, Md.
Steve Trilling, director of research, Symantec Corp., Cupertino, Calif.
Peter Coffee, eWEEK technology editor
Coffee: I want to begin by asking if you think there is a greater acknowledgment of the security problem. Do you think that computer users and system operators are more inclined now to treat security as a shared responsibility instead of something thats just supposed to happen in the basement?
Trilling: Absolutely. In fact, I would say even more strongly that the notion of security has really moved to the boardroom and CEO level, as well as to the legislative level on the government side. What used to be more of a purchasing issue is now something that really needs to guide the fundamental business strategy of any organization.
Just to give an example, a company like Dow Chemical was estimated to have done $1 billion of revenue online alone in 2001. Clearly, lots of organizations across all spaces, not just technology spaces, are generating a lot of income and a lot of business from online activities. The need to secure all those transactions, both going outside the organization as well as inside the organization, is going to play a fundamental role in any business strategy moving forward.
Coffee: This question goes to our Microsoft panelists: Microsoft is at the beginning, as we speak, of a one-month lockdown, where youre not going to write any new code but are going to be reviewing your existing code base for integrity issues. Can you comment on that, and on the effect on the company of the very high-level directives youve been receiving from your top management on that score?
Lipner: Microsoft has always had a focus on security, but weve [also] had a focus on usability, a variety of focal points that weve tried to balance. I think that Bills e-mail [a memo to staff articulating a broad-based plan to combat security and reliability problems in the companys products] has a clear impact of changing the balance. That really gets a lot of very bright people very energized to do security in a much higher priority way, and thats going to have a long-term impact on the security of our products.
LaMacchia: Just to add onto that, we in the developer division actually went through sort of a miniature version of this security push, as we call it internally, last December, just as we were finishing up Visual Studio .Net. We took the entire developer division and focused it on trying to find exploits on top of our own code, and that was a very productive time. For those of us who are working in security day in and day out—on security features and penetration testing--its quite refreshing, actually, to be able to get all of the energy that normally goes into all of the various aspects of Microsoft and focus on our particular area to help make the product stronger. Now were actually carrying that over, and the fact that we have this extra month to do even more testing and even further analysis is great from our perspective.
Coffee: Oracle has really thrown down a challenge to the dark side of the IT community and a promise to the IT buyer with the "unbreakable" label. Was that something you did because research indicated it was what people wanted to hear, or did it come from an internal conviction that this was the time to put that stake in the ground?
Davidson: I think we should differentiate between[Oracle Chairman and CEO] Larry [Ellison] deciding this is a great marketing campaign and what weve always been doing.
Just to recap, we didnt actually have a compulsion to do something like stop development for a month, although I certainly laud Microsoft for focusing on that.
Since weve been doing security evaluations for over 10 years, weve already built in processes that say that security isnt an afterthought. Its something that weve built into our development processes from the get-go, and, as a result, we have a culture of security.
For example, weve always been willing to stop a release if there was a large enough security issue that we would need to address before the product goes out the door. Every one of those evaluations represents about $1 million in additional security [quality assurance] by someone other than Oracle to make sure that, not only is the product robust, but that our secure development processes are spot-on.
The only difference with "unbreakable," really, is that weve already begun taking those processes and moving them across the entire product stack--and that includes everything from secure coding standards to security checklists before we release the product. We continue to do formal evaluations, and we have an ethical hacking team that does internal risk assessments. So, for us, "unbreakable" is sort of more of the same. The difference is that were sticking our neck out and saying that everyone ought to take the "unbreakable" pledge. Everyone ought to be willing to step up and say that your product has to be bulletproof.
Coffee: Alan of the SANS Institute is the only one here who never has to wonder if a product shipment should be delayed to meet a security goal. Alan, whats your comment on what weve been hearing from our industry participants? Do you think that theres been any change in peoples willingness to hold up the shipment of a product to meet a security criterion, or do people still push it out the door and let the user discover the problems?
Paller: I think theres a real change thats taking place, and its palpable in Microsofts products already. The weakness, though, is its solving about one-tenth of the problem and making 90 percent of the noise.