Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

General Magic officials say they weren't surprised by the language in the contract, but many experts say the company has to be pretty confident in its products to sign off. The effect of the contract, though, is to improve software in general. The vendor must make secure applicationsor fix them so they're secureto conform to its contract with a customer, but that makes the software better for everyone.

Clout is not limited to the Fortune 500. Sure, it's easy for GE to write such a contract, given that GE is part of the Fortune 2. And there's nothing wrong with CSOs benefiting from GE's cloutthe corporate equivalent of drafting in auto racing.

But there are other ways to force the issue with vendors for CSOs at companies smaller than GE (which is everyone but Wal-Mart). One can join the Sustainable Computing Consortium at Carnegie Mellon University, and the Internet Security Alliance, formed under the Electronic Industry Alliance. The interest groups help companies of all sizes band together on standardizing contract language and best practices for software development.

Some are taking satisfaction in a good old-fashioned boycott, even if they are so small as to escape the vendor's notice. Newnham College at the University of Cambridge in England, with 700 users, recently banned Microsoft's Outlook from use on campus because of the virus problem.

Much of the clout CSOs gain will come from the market evolving. In a sense, the software makers create clout for the CSO by asking her to deploy the product for ever more critical business tasks. At some point, the potential damage an insecure product could inflict will dictate whether it will be purchased.

"Two years ago, the marketing strategy was to just get it out there. And some of the stuff that went out was really insecure," says the anonymous ISO at the large financial institution. "But now, we just say, applications don't go live without security. It's a sledgehammer."

And it's not a randomly wielded one either. His company has created a formal process to assess vendors' applications and his own company's software development as well. It includes auditing and penetration testing, and the vendors' conforming to overarching security criteria, such as eliminating buffer overflows and so forth. It's not unusual, the security officer says, for his group to spend $40,000 per quarter testing and breaking a single application.

"Customers are vetting us," says Davidson. "Not just kicking the tires, but they're asking how we handle vulnerabilities. Where is our code stored? Do we do regression testing? What are our secure coding standards? It's impressive, but it's also just plain necessary.