Industry View

Who Pushed Vendors Toward Better Security?

Hint: It had something to do with pressure from customers and government agencies, writes Oracle Corp. CSO Mary Ann Davidson

By Mary Ann Davidson, CSO at Oracle Corp.

Page 2

Support and lifecycle issues are also addressed to ascertain, for example, how vendors handle security vulnerabilities in their products and patch production (including testing, versioning, and ensuring that patch application does not undo security settings).

The guide discusses the purpose for the questions, the threats that the questions attempt to gauge, and weighs the responses in terms of priority. In other words, the due diligence questionnaires have intelligence built into them instead of being a set of yes/no questions with no rationale as to why the questions -- and answers -- are important.

While no questionnaire can be all-encompassing, the mere fact of asking suppliers questions related to secure development practice will signal the marketplace, as economists say, that security is important and will ultimately change the market dynamic. Even in the short run, knowledge is power, especially in procuring software that will be used for critical government applications.

Of particular note are sections relating to the self-defense capabilities of software. Historically, most software developers focus on making software as flexible as possible, while too often neglecting "security hygiene" that can improve the baseline defensibility of software. Most developers also fail to consider the possibility of software being deliberately attacked. Moving software from security-aware to self-defending is critical if software is to perform as the infrastructure it actually is. Engineers, for example, build safety factors into their designs on the assumption that sometimes, things go badly wrong; if devices fail, they must fail safely.

Secure configurations are another area where market expectations have changed due to lifecycle cost concerns. That is, if a vendor can do something once (provide a secure configuration out-of-the-box) that benefits a large customer segment and that customers would otherwise have to do repeatedly (that is, securely configure multiple instances of an operating system or application), the economic argument is all for the vendor securing once and many customers than consuming pre-secured software.

A customer sector that successfully demands secure configurations from their suppliers is in a position to lower their lifecycle security costs and also raise the security bar for other customer sectors, since a vendor who can successfully deliver pre-secured software is likely to offer it to multiple customer sectors, not just the customers demanding it.

OMB has grasped the economic benefit of "secure once, use securely many times" by mandating that US federal agencies configure their desktops per the Federal Desktop Core Configuration (FDCC) for Windows Vista and Windows XP. Federal government contractor systems that interface with federal government systems are also subject to FDCC. The federal government believes it will improve security, reduce lifecycle costs, and decrease application-compatibility issues by using a common, enterprise-wide configuration instead of hundreds of different configurations.