Enterprise software manufacturers should ship products with the maximum security set as default, according to Mary Ann Davidson, chief security officer at Oracle.
Getting the basic installation right could boost the security of users' IT systems significantly, said Davidson at the OracleWorld conference in San Francisco.
“We certainly make products secure by default, yet there is still way too much manual configuration customers have to do to secure their systems,” she said.
As business users struggle to cope with the spate of worms, viruses and hacking, the damage caused by malicious attacks could be minimised if software was set to the highest level of security when it was installed.
“My biggest fear is that something we fail to do will create a problem for customers,” Davidson told Computer Weekly.
Oracle now runs a standard software development processes for creating not just the Oracle database, but also its applications suite. Within that, “We have release criteria for all our products and support tools to ascertain security worthiness,” she said.
The timing of security alerts and patch management issues have, increasingly, caused controversy as the number of malicious incidents has increased. Davidson believed it is important for Oracle users to receive the information on a security alert at the earliest opportunity.
“We have so many customers and so many sectors that can be considered part of infrastructure that would not be on the insider list [the organisations and businesses that governments deem to be critical to the functioning of society],” she said.
However, Cisco's recent handling of a flaw in its IOS operating system impressed Davidson. “Cisco made a good case in alerting its internet infrastructure customers first,” she said.
Davidson added that in the Cisco example, the people running the internet backbone would have been most exposed by the flaw in its IOS operating system. If the internet infrastructure was damaged, everyone else would be affected.
Suppliers need to try to try to fix problems as quickly as possible with good quality patches, she said. “It does not do you a lot of good releasing a patch that breaks customer systems,” she said. “They won’t trust you the next time around,” when the flaw may be more critical.