Vendors admit more cooperation needed on security

Security leaders from large software vendors pledge to cooperate on embedding more security into their products.

The security chiefs of several large infrastructure and software vendors said they are doing all they can do to embed security into their products, but they agreed that more work must be done to improve security between their platforms.

Even though vendors have built in security controls to narrow the gap between their products and their partner products, gaps remain. That makes it difficult for IT security professionals to manage multiple platforms and secure transactions between various applications and servers.

In a roundtable discussion with attendees at the Burton Group Catalyst Conference Wednesday, the security chiefs from Oracle, CA., Microsoft, EMC's RSA division and intrusion prevention system vendor Third Brigade said their organisstions are working to be more proactive about security. Still, conference attendees said growing heterogeneous environments and the explosion of Web-based applications has made security difficult to control.

Secure software code is a priority at Oracle, said Oracle CSO, Mary Ann Davidson. She suggested more collaboration between vendors on security issues and called on the US National Institute of Standards and Technology (NIST) to encourage the development of a secure software auditing standard. Davidson said such a standard could force better collaboration and ultimately reduce flaws in software code.

"Products need to be designed to be innately defensible," Davidson said. "It would boost the security worthiness of software."

Using acquisitions to boost security:

In an effort to improve the security of their products, many large IT vendors have acquired third-party software companies. Here is a look at some of them:

-- JUNE 2007: HP announces it will acquire SPI Dynamics.

-- JUNE 2007: IBM announces it will acquire risk management software vendor Watchfire

--FEBRUARY 2007: EMC  announces a definitive agreement to acquire data security firm Valyd Software Private .

-- JANUARY 2007: Cisco Systems Inc. announces plans to buy Internet security gateway appliance vendor IronPort Systems for $830 million.

-- JANUARY 2007: Fortify Software Inc announces its acquisition of Secure Software Inc.

-- DECEMBER 2006: IBM announces plans to acquire Consul Risk Management Inc., whose software tracks employee behavior and unauthorised records access.

-- SEPTEMBER 2006: EMC Corp. announces its $175 million acquisition of security event management vendor Network Intelligence Corp.

-- AUGUST 2006: IBM announces the $1.3 billion acquisition of Internet Security Systems Inc. (ISS) to bolster its position in the managed security services market.

Microsoft's Douglas Cavit, chief security strategist for trustworthy computing, said Vista's security improvements and the Redmond, Wash.-based vendor's Network Access Protection will enable third-party software vendors to boost security on the platform. NAP technology is included in Windows Vista, but won't be fully functional until the release early next year of the Longhorn server, now known as Windows Server 2008.

"We think it's important to have an open, transparent development process and an open vulnerability mitigation process," Cavit said.

Customers have been the main drivers for vendors to improve security in their products, said Bret Hartman, chief technology officer of RSA, who is responsible for defining EMC's corporate security technology strategy. Hartman said RSA and other vendors ensure that software works well and securely with their partners. Software will likely never get to the point where it functions securely with all vendors, he said.

"We need to do a better job in helping companies define the policies that they need to enforce," Hartman said. "Right now it's a very labor-intensive process."

After the panel session, conference attendees shared their frustration with software security.

We need to do a better job in helping companies define the policies that they need to enforce. Right now it's a very labor-intensive process.
Bret Hartman
CTOEMC's RSA Security division

If the top level vendors take a greater initiative to focus on improving security, the entire industry could improve, said David Wykoff, an IT client advocate at Falls Church, Va.-based General Dynamics Corp. Wykoff said standards need to be pushed to create better security between products.

"Certainly you would hope that there would be better standards then there are and less confusion for us corporations who are just trying to keep things as secure as we can," he said. "It's an uphill battle."

Security vendors have improved building security into their products, but cooperation can only go so far, said a security architect from a West coast financial services firm. Vendors want to satisfy their customers, but they first have to please their shareholders, he said.

"Their core function in life is to build products that create revenue," he said. "They will always have the presence of their business needs and that conflicting pressure puts a strain on cooperation."

Read more on Antivirus, firewall and IDS products