Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

In addition, a bevy of new research was published that proves there is an ROI for vendors and users in building more secure code. Plus, a new class of software tools was developed to automatically ferret out the most gratuitous software flaws.

Put it all together, and you getta da!change. And not just change, but profound change. In technology, change usually means more features, more innovation, more services and more enhancements. In any event, it's the vendor defining the change. This time, the buyers are foisting on vendors a better kind of change. They're forcing vendors to go back and fix the software that was built poorly in the first place. The suddenly efficacious corporate software consumer is holding vendors accountable. He is creating contractual liability and pushing legislation. He is threatening to take his budget elsewhere if the code doesn't tighten up. And it's not just empty rhetoric.

Mary Ann Davidson, CSO at Oracle, claims that now "no one is asking for features; they want information assurance. They're asking us how we secure our code." Adds Scott Charney, chief security strategist at Microsoft, "Suddenly, executives are saying, We're no longer just generically concerned about security."

So What Are We Doing About It?

Specifically, all this concern has led to the empowerment of everyone who uses software, and now they're pushing for some real application security. Here are the reasons why.

Vendors have no excuse for not fixing their software because it's not technically difficult to do. For anyone who bothers to look, the numbers are overwhelming: 90 percent of hackers tend to target known flaws in software. And 95 percent of those attacks, according to SEI's Cross, among others experts, exploit one of only seven types of flaws. (See "Common Vulnerabilities," opposite page.) So if you can take care of the most common types of flaws in a piece of software, you can stop the lion's share of those attacks. In fact, if you eliminate the most common security hole of allthe dreaded buffer overflowCross says you'll scotch nearly 60 percent of the problem right there.

"It frustrates me," says Cross. "It was kind of chilling when we realized half-a-dozen vulnerabilities were causing most of the problems. And it's not complex stuff either. You can teach any freshman compsci student to do it. If the public understood that, there would be an outcry."

SEI and others such as @Stake are shining a light on these startling facts (and making money in doing so). It has started to have an effect. Wysopal at @Stake says he's seeing more empowered and proactive customers, and in turn, vendors are desperately seeking ways to keep those empowered customers.