Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

Now, features make software do something, but they don't stop it from unwittingly doing something else at the same time. E-mail attachments, for example, are a feature. But e-mail attachments help spread viruses. That is an unintended consequenceand the more features, the more unintended consequences.

As networking spread and featureitis took hold, some systems were compromised. The worst case was in 1988 when a graduate student at Cornell University set off a worm on the ARPAnet that replicated itself to 6,000 hosts and brought down the network. At the time, events like that were the exception.

By 1996, the Internet supported 16 million hosts. Application securityor, more specifically, the lack of itturned exponentially worse. The Internet was a joke in terms of security, easily compromised by dedicated attackers. Teenagers were cracking anything they wanted to: NASA, the Pentagon, the Mexican finance ministry. The odd part is, while the world changed, software development did not. It stuck to its features/deadlines culture despite the security problem.

Even today, the software development methodologies most commonly used still cater to deadlines and features, and not security. "We have a really smart senior business manager here who controls a large chunk of this corporation but hasn't a clue what's necessary for security," says an information security officer at one of the largest financial institutions in the world. "She looks at security as, Will it cost me customers if I do it? She concludes that requiring complicated, alphanumeric passwords means losing 12 percent of our customers. So she says no way."

Software development has been able to maintain its old-school, insecure approach because the technology industry adopted a less-than-ideal fix for the problem: security applications, a multibillion-dollar industry's worth of new code to layer on top of programs that remain foundationally insecure. But there's an important subtlety. Security features don't improve application security. They simply guard insecure code and, once bypassed, can allow access to the entire enterprise.

That's triage, not surgery. In other words, the industry has put locks on the doors but not on the loading dock out back. Instead of securing networking protocols, firewalls are thrown up. Instead of building e-mail programs that defeat viruses, antivirus software is slapped on.

When the first major wave of Internet attacks hit in early 2000, security software was the savior, brought in at any expense to mitigate the problem. But attacks kept coming, and more recently, security software has lost much of its original appeal. Thatcombined with a bad economy, a new focus on national security, pending regulation that focuses on securing information and sheer fatigue from the constant barrage of attacksspurred CSOs to think differently about how to fix the security problem.