Accounting for Security

By Mary Ann Davidson

(Back to article)

There is a smarter, more cost-effective approach to security than the prevalent method of developing and implementing patches once problems are discovered. But to achieve this, companies have to start by demanding better products.

Organizations should investigate the security practices of software vendors rather than accept that countless problems with an operating system or software application are inevitable. Users must demand stronger, more reliable products; their businesses depend on it.

Time and money that will otherwise be dedicated to fixing faulty products should be invested in this research before making the next purchasing decision. For example, the cost to deploy a patch for a recognized software flaw runs on average $900 per server and $700 per client. If an enterprise misses a patch and gets hit by a virus, the costs magnify.

Enterprises can make better decisions about security products and reduce the potential back-end costs by researching a few key vendor practices: examining the vendor's corporate culture; specifically, the development process security and insisting on a response plan for times when vulnerabilities are found; and demanding third-party assessments.

Vendors must demonstrate that security is a priority at each step of the product development and delivery process. Training in secure coding practice, and compensation tied to secure coding objectives are two such indicators. Vendors with a chief security officer and a team that analyzes product development for weaknesses, or hacks its own products, is also more likely to focus seriously on security.

The vendor should also run its own enterprise on its software; if a company doesn't trust its own products to secure secrets, why should you?


Additionally, third-party validation is a critical step in purchasing secure products. Some software and OS vendors submit products for rigorous security evaluations conducted by independent authorities. These evaluations are recognized globally by various governing bodies. An evaluated product provides organizations with a level of assurance about the product's features and security claims. Often times, evaluators find weaknesses in the product that are corrected before the evaluation is completed.

These evaluations are not without a price. However, reputable vendors know that paying for an evaluation is cheaper than fixing a product already in use. Red Hat Enterprise Linux , for example, recently completed a Common Criteria (ISO 15408) evaluation at EAL2. As a result, security-conscious customers can be assured of using a secure OS to run their enterprise applications.An evaluated product meets the needs of the highest-security customers, such as the U.S. Department of Defense, whose parameters for product requirements, known as National Security Telecommunications Information Systems Security Policy (NSTISSP) No. 11, include a ISO 15408 evaluation. The evaluated Red Hat Enterprise Linux complies with all of the requirements outlined in NSTISSP No. 11, strengthening Linux's ability to reach into the government sector.

Patch Management

Organizations should be convinced the vendor has an aggressive plan to handle problems that may arise and the vendor should have a strictly-followed incident response policy to determine the severity level of a security vulnerability.

Subsequently, the vendor should build and issue a patch before announcing a security alert. Information distributed randomly to a handful of customers will exasperate rather than calm the situation. All customers should receive the same level of notice because all customers have sensitive or critical business information they want to protect.

Although these questions add a step to the product evaluation process, they raise the bar on security. If the industry fails to follow these guidelines, it risks government agencies regulating the process.

Laws governing the way the healthcare and financial industries guard their data have already been instituted. If the rest of the market responsibly polices itself, such regulations will not be necessary.

"IT" now stands for "infrastructure technology," and needs to be as robust, secure, and reliable as physical infrastructure. We never worry about bridges failing, nor should we worry about critical IT systems going down because of design defects.

Adhering to these guidelines and choosing more robust, secure software is a sound business move that will cut costs and improve business in the short and near term.

Mary Ann Davidson is Oracle Corp.'s chief security officer.