Enterprise software manufacturers
should ship products with the maximum security set as default,
according to Mary Ann Davidson, chief security officer at
Oracle.
Getting the basic installation right could
boost the security of users' IT systems significantly, said
Davidson at the OracleWorld conference in San Francisco.
“We certainly make products secure by
default, yet there is still way too much manual configuration
customers have to do to secure their systems,” she said.
As business users struggle to cope with the
spate of worms, viruses and hacking, the damage caused by malicious
attacks could be minimised if software was set to the highest level
of security when it was installed.
“My biggest fear is that something we fail
to do will create a problem for customers,” Davidson told Computer
Weekly.
Oracle now runs a standard software
development processes for creating not just the Oracle database,
but also its applications suite. Within that, “We have release
criteria for all our products and support tools to ascertain
security worthiness,” she said.
The timing of security alerts and patch
management issues have, increasingly, caused controversy as the
number of malicious incidents has increased. Davidson believed it
is important for Oracle users to receive the information on a
security alert at the earliest opportunity.
“We have so many customers and so many
sectors that can be considered part of infrastructure that would
not be on the insider list [the organisations and businesses that
governments deem to be critical to the functioning of society],”
she said.
However, Cisco's recent handling of a flaw
in its IOS operating system impressed Davidson. “Cisco made a good
case in alerting its internet infrastructure customers first,” she
said.
Davidson added that in the Cisco example,
the people running the internet backbone would have been most
exposed by the flaw in its IOS operating system. If the internet
infrastructure was damaged, everyone else would be affected.
Suppliers
need to try to try to fix problems as quickly as possible with good
quality patches, she said. “It does not do you a lot of good
releasing a patch that breaks customer systems,” she said. “They
won’t trust you the next time around,” when the flaw may be more
critical.