The security chiefs of several large infrastructure and
software vendors said they are doing all they can do to embed
security into their products, but they agreed that more work must
be done to improve security between their platforms.
Even though vendors have built in security controls to narrow
the gap between their products and their partner products, gaps
remain. That makes it difficult for IT security professionals to
manage multiple platforms and secure transactions between various
applications and servers.
In a roundtable discussion with attendees at the
Burton Group Catalyst Conference Wednesday,
the security chiefs from Oracle, CA., Microsoft, EMC's RSA
division and intrusion prevention system vendor Third Brigade
said their organisstions are working to be more proactive about
security. Still, conference attendees said growing heterogeneous
environments and the explosion of Web-based applications has
made security difficult to control.
Secure software code is a priority at Oracle, said Oracle CSO,
Mary Ann Davidson. She suggested more collaboration between vendors
on security issues and called on the
US National Institute of Standards and
Technology (NIST) to encourage the development of a secure
software auditing standard. Davidson said such a standard could
force better collaboration and ultimately reduce flaws in
software code.
"Products need to be designed to be innately defensible,"
Davidson said. "It would boost the security worthiness of
software."
Microsoft's Douglas Cavit, chief security strategist for
trustworthy computing, said Vista's security improvements and the
Redmond, Wash.-based vendor's
Network Access Protection will enable third-party software
vendors to boost security on the platform. NAP technology is
included in Windows Vista, but won't be fully functional until the
release early next year of the Longhorn server, now known as
Windows Server 2008.
"We think it's important to have an open, transparent
development process and an open vulnerability mitigation process,"
Cavit said.
Customers have been the main drivers for vendors to improve
security in their products, said Bret Hartman, chief technology
officer of RSA, who is responsible for defining EMC's corporate
security technology strategy. Hartman said RSA and other vendors
ensure that software works well and securely with their partners.
Software will likely never get to the point where it functions
securely with all vendors, he said.
"We need to do a better job in helping companies define the
policies that they need to enforce," Hartman said. "Right now it's
a very labor-intensive process."
After the panel session, conference attendees shared their
frustration with software security.
 | | | | | We need to do a better job in
helping companies define the policies that they need to enforce.
Right now it's a very labor-intensive process.
Bret Hartman
CTOEMC's RSA Security
division |
| | | | | |
| |
|
If the top level vendors take a greater initiative to focus on
improving security, the entire industry could improve, said David
Wykoff, an IT client advocate at Falls Church, Va.-based General
Dynamics Corp. Wykoff said standards need to be pushed to create
better security between products.
"Certainly you would hope that there would be better standards
then there are and less confusion for us corporations who are just
trying to keep things as secure as we can," he said. "It's an
uphill battle."
Security vendors have improved building security into their
products, but cooperation can only go so far, said a security
architect from a West coast financial services firm. Vendors want
to satisfy their customers, but they first have to please their
shareholders, he said.
"Their core function in life is to build products that create
revenue," he said. "They will always have the presence of their
business needs and that conflicting pressure puts a strain on
cooperation."