Offshore Threat Debated at Hearing on Network Security

Sold on SOA Sign up to receive Security Resource Alerts

June 07, 2004 (IDG News Service) -- WASHINGTON -- Offshore software development is one factor behind the escalation of exploitable network vulnerabilities, according to testimony at a hearing on network security before a U.S. House subcommittee last week.
Software companies must add more controls to the development process for software produced outside the U.S., said Steve Solomon, CEO of Citadel Security Software Inc. in Dallas.
"Software development organizations should be required to have all overseas-developed software examined for malicious capabilities embedded in the code," Solomon told the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. "Industry and government must work together to develop some form of standard or review process to address this growing threat."
Solomon's comments were rebutted by representatives from Microsoft Corp. and Juniper Networks Inc.
"It really doesn't matter where software is developed," said Dubhe Bienhorn, vice president of Juniper Federal Systems. "It is a process that requires very tight controls and very intense scrutiny."
Cheap Solution
Solomon defended his comments by pointing out that software vendors see offshore development as "easy and cheap."
"Maybe my colleagues on this panel have [secure offshore] processes in place," he added. "A lot of companies don't."

Rep. Adam Putnam (R-Fla.) Image Credit: Newscom.com

Subcommittee chairman Rep. Adam Putnam (R-Fla.) focused some of his questions on the process of patching software after vulnerabilities are discovered. When Putnam asked whether the patching process and the alert process that accompanies it are working well, Scott Culp, senior security strategist at Microsoft, said he believes that software vendors are working hard to notify customers.
"We have a very active interest in making sure as many people as possible know about our mistakes and how to fix them," Culp said.


Asked by Putnam if he's satisfied with the patch and alert process Microsoft now has in place, Culp responded that he's never satisfied. "I'd like to send out a lot fewer of those alerts," he said.
Putnam started the hearing by taking both private companies and government agencies to task for not moving fast enough to address continuing cybersecurity concerns. "As a nation, we have taken very dramatic steps to increase our physical security, but protecting our information networks has not progressed at the same pace, either in the public or in the private sector," Putnam said. "I remain concerned that we are collectively not moving fast enough to protect the American people and the U.S. economy from the very real threats that exist today. ... The time for action is now."
False Sense of Security
Solomon also suggested that companies that rely on patch management services have "false security" and may be neglecting larger problems. For example, they may not have broad security policies or plans for recovery after attacks. "On average, only 30% of an organization's verified vulnerabilities relate to patching, leaving their networks exposed to the remaining 70% of the problem, which are more dangerous and easily exploited," he said. "These products do not address the problem of full life-cycle vulnerability management and effectively become part of the problem."
Louis Rosenthal, executive vice president at ABN Amro Holding NV in Chicago, called on the subcommittee to find ways to encourage software vendors to accept responsibility for the role their products play in supporting U.S. critical infrastructure. He also asked the subcommittee to support a measure that would hold software vendors more accountable for the quality of their products and for continuing patch support for older but still viable versions of their software.
Incentives like tax breaks, cybersecurity insurance and lawsuit reform could encourage software companies to make more secure products, Rosenthal added.
Gross writes for the IDG News Service.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"IBM's old AS400 technology is fading fast, if product names are any indication...." Read more... "Systems support pilot fish starts getting reports that a special Y2k tool has stopped working — in early 2008...." Read more... Read more Development posts or See all Blogs

Microsoft promises four patches next week Google gives away home-cooked Web application security scanner Storm botnet stages Fourth of July attacks More top stories...

Microsoft trumpets security additions in upcoming IE8 Apple cuts price of high-end SSD MacBook Air by $500 Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Sold on SOA (Source: Computerworld) It's the hot technology for most large companies, but business, technical and cultural issues must be addressed for a successful SOA implementation. Get the whole story, from the big picture to the how-to-do-it details, in this Executive Bulletin. Download this Executive Bulletin (a $49.95 value) for Free, compliments of Fujitsu. Download this executive briefing  Virtualization Everywhere Download this white paper, free, compliments of Citrix. (Source: Citrix) Adoption of virtualization is concentrated among large enterprises, while adoption by mid-sized companies has been much slower. For these companies, the cost and complexity of server virtualization solutions has been a barrier. In this paper, we'll discuss how Citrix XenServer" provides simple, economical server virtualization for any size company. Download now! Download this white paper  Why SaaS is Vital to Email and Web Security Why SaaS is Vital to Email and Web Security Download this webcast, free, compilments of Webroot Software Go to the webcast  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Microsoft promises four patches next week
• Google gives away home-cooked Web application security scanner
• Storm botnet stages Fourth of July attacks
• More top stories 

XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. Request free trial now

Detect, identify, and locate RF interference in 802.11 WLANs. AnalyzeAir software provides IT network professionals with the vision they need into the hidden world of RF, providing them with the ability to see the spectrum in a visible and intelligible format. AnalyzeAir software lets you see, monitor, analyze, and manage all the RF sources and wireless devices that influence your Wi-Fi network's performance and security, even if those devices are unauthorized or transient. AnalyzeAir Trial Software v3.1 highlights the features found in AnalyzeAir Software using a set of saved spectrum files. Replay the data and experience the visibility that AnalyzeAir Wi-Fi Spectrum Analyzer provides. Note: The trial software is limited to a player version only. It does not communicate with an AnalyzeAir PC card so it does not collect actual spectrum data. Register for this trial now.