Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

The ability of the public sector to whip vendors into shape on application security is best represented, though, by John Gilligan, CIO of the Air Force, who in March told Microsoft to make better products or he'll take his $6 billion budget elsewhere. It was a challenge by proxy to all software vendors. At the time, Gilligan said he was "approaching the point where we're spending more money to find patches and fix vulnerabilities than we paid for the software." And he wasn't shy about labeling software security a "national security issue."

Microsoft Chief Security Strategist Charney called himself a "nudge and a pest by nature," and he may have found his counterpart in Gilligan, who in addition to mobilizing the Air Force is encouraging other federal agencies to use similar tactics. Gilligan says he was encouraged by Bill Gates's notorious "Trustworthy Computing" memohis mea culpa proclamation in January that Microsoft software must get more securebut that "the key will be, what's the follow-through?"

Nudging Vendors

Gilligan is right, and clever, to invoke patches as a major part of his problem. If a vendor is not convinced that securing applications is a good idea after getting proof of an ROI from securing applications early, or after gaining the favor of large customers by submitting to a certification process or to a contract with strong language, then patches might do the trick.

Patches are like ridiculously complex tourniquets. They are the terrible price everyonevendors and CSOs alikepays for 30 years of insecure application development. And they are expensive. Davidson at Oracle estimates that one patch the company released cost Oracle $1 million. Charney won't estimate. But what's clear is that the economics of patching is quickly getting out of hand, and the vendors appear to be motivated to ameliorate the problem.

At Microsoft, it starts with security training, required for all Microsoft programmers as a result of Gates's memo. Michael Howard, coauthor of Writing Secure Code, and Steve Lipner, manager of Microsoft's security center (Patch Central), are running the effort to make Microsoft software more secure.

The training establishes new processes (coding through defense in depth, that is, writing your piece of code as if everything around your code will fail). It sets new rules (security goals now go in requirements documents at Microsoft; insecure drivers are summarily removed from programs, a practice that Richardson says would have been heresy not long ago). And it creates a framework for introducing Microsoft teams to the concept of managed code (essentially, reusable code that comes with guarantees about its integrity).