Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Opinion: Secure software? Don't hold your breath

Chris Conrath, Computerworld Canada   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

October 01, 2002 (IDG News Service) -- TORONTO - It used to be we lived in a world with only two certainties: death and taxes. Now it seems there is a third: insecure software.
Bruce Schneier, renowned cryptologist, CTO of Counterpane Internet Security Inc. and security expert, recently told me, in no uncertain terms, that all software is crap when it comes to security. Others have joked that the ultimate oxymoron is not "military intelligence," but rather "secure software." The sad fact is the jokes may be true. After all, a quick visit to the Carnegie Mellon CERT Coordination Center Web site -- one of the best sites for security information on the Net -- and you can find a list of 514 vulnerabilities for Microsoft products. Oracle has 178. They are by no means the only guilty parties, but as the largest software vendors in the world, their security holes affect the most users.
Free market capitalism is supposed to be the closest the business world gets to a pure Darwinian existence. So with security currently all the rage, one could assume those companies with the most secure technologies would prosper the most. But the evolution of technology has taught us that it is not always the fittest that survive, it's the fastest.
Herein lies the first problem, also known as tech marketing 101. Whatever it is you are trying to sell, get it to market before the competition. Bug fixing can be done later. This thinking seems to dominate among software vendors. Until recently.
A conversation with Mary Ann Davidson, the chief security officer with Oracle Corp., did a relatively good job of convincing me that maybe the tide is changing. Maybe.
Her logic is that the recent U.S. federal government policy to buy only security-evaluated software will force companies to change their focus from time to market to security. After all, it is the only customer left that still has "big bucks" left to spend on IT, with enough buying power to move an entire market.
But how will this change problem two? The most common security crack is the result of buffer overflow, which causes about 80 per cent of security vulnerabilities. But even Davidson admits that stopping buffer overflow by checking boundary conditions is a skill that should be learned in coding 101. So if all developers know how to prevent it, why do we still see it all the time?
There seem to be several reasons behind this. The first is the hardest to change -- companies need to adopt more of a security culture. Bill Gates' famous leaked e-mail about changing the culture at Microsoft to one focused on security may eventually pay off, but if the number of security patch downloads for Windows XP is any indication, success is a long way off.
Coding languages are also often held accountable. James Gosling, a fellow at Sun Microsystems, once told me the key to correcting the overflow situation is to program with Java. But the likelihood of Java being the lone development language is zero.
The last of the coding problems may be the easiest to tackle. Davidson said she has yet to find a really good tool for scanning source code, one that could easily check for buffer overflow. She said the lack of "sexiness" may be why more companies aren't focusing on bringing a tool to market.
Maybe sexiness is the key. Once security becomes as cool as wireless or the latest Web app then we might start to see more advances made.
Finally, there are those, like Schneier, who want to move the security yardsticks much faster by making companies liable for the products they sell.
This is a pipe dream, at least for the time being. If software manufacturers, for the most part, won't take liability for their product, even when it is used in the most controlled environments where only certain applications are allowed to interact with certain others, how in the world do we expect them to accept liability when their product has to perform flawlessly in a veritable bouillabaisse of applications?
In hindsight, I guess it is a bit na?ve of me to think we will ever be able to create perfection in something as inherently prone to flaws as software. After all, we are still working on the perfect toaster.

Conrath is a senior writer with ComputerWorld Canada. He can be reached at cconrath@itworldcanada.com.


Reprinted with permission from

For more news from IDG visit IDG.net
Story copyright 2006 International Data Group. All rights reserved.


Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"If you're controlling document transmission processes, don't overlook your multifunction printers, advises one vendor...." Read more...
"Is it just me or is Twitter suddenly experiencing a much, much heavier spam deluge than usual? And how evil..." Read more...
Read more Security posts or See all Blogs

DNS hole prompts synchronized patching effort by IT vendors
Microsoft plugs nine holes in Windows, DNS, SQL
Symantec warns of new Word attack
More top stories...
Microsoft sets XP SP3 automatic download for Thursday
Don't give Google a free pass on data collection, privacy advocates say after YouTube ruling
XP SP3 to reach most users 'shortly,' says Microsoft

This old laptop: Revitalizing an aging notebook on the cheap
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Bill Gates moves on
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
Five things you should never tell your boss
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
Hands-On: Firefox 3 fixes what's broke and keeps what's right
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Virtualization Analysis for VMware
A Guide to Understanding Messaging Archiving
Archiving Compliance with Sunbelt Exchange Archiver
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.