Beating Feds to the Punch

Developers may face legislation if they don't improve the safety and reliability of offerings.

In most security circles, the federal government does not exactly enjoy what one would call a stellar reputation. Years of missteps and wrongheaded attempts to rein in innovation, not to mention leaky security in its own networks, has done little to help the government win the hearts and minds of security experts and technologists.

In fact, the mere mention of the words "Clipper chip" in certain company is enough to provoke lengthy diatribes against Big Brother and impassioned defenses of capitalism and the free-market economy.

Consequently, when the Presidents Critical Infrastructure Protection Board last fall published its plan for defending and strengthening the nations fragile networks, it was greeted with a healthy dose of skepticism—if not outright hostility. Many in the security community, as well as the high-tech industry at large, derided the strategy as too soft and lacking clear direction.

There was, however, one underlying theme in the strategy that may have gone unnoticed: If the software industry doesnt begin producing more reliable, secure software on its own, the government will force it to do so.

While this may seem like more government heavy-handedness, some top industry security officials believe its a step in the right direction.

"I do think theres a subtext in that if the industry doesnt face up to this, we will face some legislation," said Mary Ann Davidson, chief security officer at Oracle Corp., in Redwood Shores, Calif. "Its been the dirty little secret—or not so secret—of the industry for a long time. Now, the government really means it this time, I think."

Speaking on a wide range of topics during an in-depth interview with eWeek recently, Davidson said software vendors failure to deliver secure products has sparked an endless loop of patches, more and more security solutions, and a constant scramble to keep networks safe. All this has led to a lot of anger from customers and justifiably so.

"As a result, you have security vendors claiming they can cure cancer, but they cant protect you against software vendors building insecure products," Davidson said. "Some of these products that claim they can do all this, thats fine, but I believe that no vendor can abdicate its responsibility to build secure software. The industry needs to make products secure by default. More software products should be like that."

That effort to make software secure by default is a key tenet of Microsoft Corp.s Trustworthy Computing initiative. After years of criticism from customers, the press and even the government, Microsoft has put quite a bit of muscle and money behind the effort, hoping to make the security and reliability of its products a selling point for Microsoft instead of for its competitors.

Davidson, for one, said she believes that having the worlds largest software vendor make security a top priority can mean only good things for the industry and customers.

"The fact that Microsoft has gotten on the bandwagon is having an effect. Theyre sincere, and theyre doing good things," Davidson said. "Theyre doing it because the customers got angry. Even Microsoft cant ignore the Department of Defense. There were enough customers clamoring for change."

Oracle, which has always counted the federal government as one of its biggest customers, last year took its own shot at making security a selling point. Its ad campaign proclaimed the Oracle9i database to be "Unbreakable," a tag line that initially gave Davidson nightmares. But in the end, she said she believes the campaign had a positive effect on the company by drawing attention to security and reliability.

"[Oracle CEO] Larry Ellison proposed it, and when it got to me, I said, What are you thinking? But its about information assurance. It got this topic out there and focused our attention internally," Davidson said. "It was really good for the company. Now, customers want to know how were building our products. There are certainly some moments when I break out the Valium, but it made my life easier in the end."

The "Unbreakable" campaign, aside from drawing the attention of crackers and vulnerability researchers, also gave Davidson and Oracle an opportunity to look at the way the company writes code and how that code is reviewed and tested before release.

"We grew up from the server side of things, and were building software for paranoids that protects the crown jewels," Davidson said. "If someone can break into a default installation, we log that as a bug. This [is] part of our release criteria. Of course, we hold it up. Thats a release showstopper. The sooner you can find that, the better off you are. But this was a nice focal point for us. We looked at all of our products and said, Why dont we extend ["Unbreakable" to all our products]?"

However, Davidson said she believes that projects such as Trustworthy Computing and Oracles internal security programs should not be differentiators in the marketplace.

"In the long run, I dont want [security] to be a competitive advantage. This should be table stakes," Davidson said. "Its a very interconnected world. Having the government step up makes a big difference. It changes the way you build products.

"The government has been one of our bread-and-butter markets. Theres no other database [aside from Oracles] that can be used in a national security context. We absolutely do not lose business based on security."