Lawmakers and chief security officers are fed up with the lack of security in todays software products, and its up to vendors to change their practices if they want to hold on to their customers and avoid onerous regulations, Oracle Corp. CSO Mary Ann Davidson said at the eWEEK Security Summit in San Francisco last Wednesday.
Speaking to a group of top IT executives and CSOs, Davidson said that vendors have failed customers by refusing to build security into their products. And, she added, most software companies will change that philosophy only if and when customers force them to do so.
“Vendors should build security into their products anyway because its the right thing to do and customers demand it,” Davidson said. “They shouldnt do it just to avoid regulation. But the corollary to that is that they may see regulation coming if they dont do it.”
Many agencies within the federal government, where Oracle does a lot of work, have, in fact, made security a main driver in their buying decisions. The U.S. Department of Defense and the U.S. Department of Homeland Security are the two most notable examples, and some of the smaller agencies have begun to follow suit.
In addition, Davidson said, any software vendor should have a formal set of guidelines that customers can use to turn off unneeded services and lock down a given product. Many of the larger software vendors, including Microsoft Corp., Oracle and Sun Microsystems Inc., have such guides, and some third-party groups such as the Center for Internet Security have developed secure configuration guidelines, as well.
“Any product you buy, the vendor should be able to tell you how to lock it down, give you an automated tool to do that and ship it in a configuration thats as locked down as possible,” Davidson said. “There have been a couple of big government contracts lately where they said, You will deliver this to us in the most secure configuration possible because it saves the government millions of dollars on their end.”
Security experts say that the vast majority of software vulnerabilities could be eliminated during the development process if vendors employed more secure coding practices. But many companies have been reluctant to make such a radical change in their processes because it would inevitably add costs and stretch out the development cycle, delaying release.
Some large vendors, including Oracle and Microsoft, have made the effort to train their developers on secure coding practices, and though this process can cost millions of dollars, it pays off in the long run through fewer vulnerabilities that need fixing after release.
“One of the problems is that no accreditation exists in the software industry. Engineers need to show a level of knowledge and go through an apprenticeship and earn an accreditation,” Davidson said. “No one has any accountability in the IT industry.”
Davidson urged the audience members to put vendors to the test on security when theyre considering buying a new product. Most important, she said, IT managers and CSOs should ask vendors whether they train their developers in secure coding practices and whether developers pay is tied to the quality of their code.
“I know what it costs to fix avoidable programming errors. Its expensive,” Davidson said. “Developers dont think this way. The IT industry needs to get it. IT is now infrastructure; its not a hobby. Theres no reason that vendors shouldnt get together and talk about how you write really good code. This isnt a trade secret.”
The alternative to improving the development process is an edict from Capitol Hill, mandating some kind of security certification. Legislators have taken a keen interest in security of late, both at the state and federal levels, and there are few, if any, vendors interested in more attention from lawmakers.
“We need some kind of market correction, and regulation is one form of that,” Davidson said. “Big buyer tends to work better than Big Brother because its more flexible. No one wants regulation, but thats the way its going to go if we dont fix it ourselves.”