Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management

    Lax Security in Software Hurts Vendors, Customers

    Written by

    Dennis Fisher
    Published March 14, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Lawmakers and chief security officers are fed up with the lack of security in todays software products, and its up to vendors to change their practices if they want to hold on to their customers and avoid onerous regulations, Oracle Corp. CSO Mary Ann Davidson said at the eWEEK Security Summit in San Francisco last Wednesday.

      Speaking to a group of top IT executives and CSOs, Davidson said that vendors have failed customers by refusing to build security into their products. And, she added, most software companies will change that philosophy only if and when customers force them to do so.

      “Vendors should build security into their products anyway because its the right thing to do and customers demand it,” Davidson said. “They shouldnt do it just to avoid regulation. But the corollary to that is that they may see regulation coming if they dont do it.”

      Many agencies within the federal government, where Oracle does a lot of work, have, in fact, made security a main driver in their buying decisions. The U.S. Department of Defense and the U.S. Department of Homeland Security are the two most notable examples, and some of the smaller agencies have begun to follow suit.

      /zimages/3/28571.gifeWEEK.coms Paul C. Tinnirello says maybe its time to federally regulate software vendors. Click here to read more.

      In addition, Davidson said, any software vendor should have a formal set of guidelines that customers can use to turn off unneeded services and lock down a given product. Many of the larger software vendors, including Microsoft Corp., Oracle and Sun Microsystems Inc., have such guides, and some third-party groups such as the Center for Internet Security have developed secure configuration guidelines, as well.

      “Any product you buy, the vendor should be able to tell you how to lock it down, give you an automated tool to do that and ship it in a configuration thats as locked down as possible,” Davidson said. “There have been a couple of big government contracts lately where they said, You will deliver this to us in the most secure configuration possible because it saves the government millions of dollars on their end.”

      Security experts say that the vast majority of software vulnerabilities could be eliminated during the development process if vendors employed more secure coding practices. But many companies have been reluctant to make such a radical change in their processes because it would inevitably add costs and stretch out the development cycle, delaying release.

      Some large vendors, including Oracle and Microsoft, have made the effort to train their developers on secure coding practices, and though this process can cost millions of dollars, it pays off in the long run through fewer vulnerabilities that need fixing after release.

      “One of the problems is that no accreditation exists in the software industry. Engineers need to show a level of knowledge and go through an apprenticeship and earn an accreditation,” Davidson said. “No one has any accountability in the IT industry.”

      Davidson urged the audience members to put vendors to the test on security when theyre considering buying a new product. Most important, she said, IT managers and CSOs should ask vendors whether they train their developers in secure coding practices and whether developers pay is tied to the quality of their code.

      “I know what it costs to fix avoidable programming errors. Its expensive,” Davidson said. “Developers dont think this way. The IT industry needs to get it. IT is now infrastructure; its not a hobby. Theres no reason that vendors shouldnt get together and talk about how you write really good code. This isnt a trade secret.”

      The alternative to improving the development process is an edict from Capitol Hill, mandating some kind of security certification. Legislators have taken a keen interest in security of late, both at the state and federal levels, and there are few, if any, vendors interested in more attention from lawmakers.

      “We need some kind of market correction, and regulation is one form of that,” Davidson said. “Big buyer tends to work better than Big Brother because its more flexible. No one wants regulation, but thats the way its going to go if we dont fix it ourselves.”

      /zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Dennis Fisher
      Dennis Fisher

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×