Vendor CSOs

When SEI’s Steve Cross says that we pay the same for Windows as we do for a toaster, but we only expect toasters not to fail, it’s not a stretch to imagine the vendors countering that toasters are designed to only do one thing, so they’re easier to secure. But by now, Scott Charney, Mary Ann Davidson and Whit Diffey, CSOs of Microsoft, Oracle and Sun, have told their companies that while this is true, it’s a terrible defense for the current state of software security.

That’s the kind of effect these vendor CSOs will have on their employers, and, hence, on the industry. They will direct the shift, foisted on them by customers, toward a direct focus on application security. So far, their framing of the issues indicates that the vendors are treating the proverbial sea change with at least some respect, but they’re still acting like technology vendors. Aggressive. Not afraid to blame the customer. And, of course, hyper-competitive.

“Security is generally served by simplicity,” says Diffey, self-proclaimed geek and expert cryptographer. “Therefore, there is a competition between features and security,” he says, leaving no doubt which usually loses.

“Changing the corporate culture about security is really like turning an oil tanker,” says Oracle’s Davidson, a Navy veteran with an MBA from Wharton, who surfs on weekends. “We’ve made that turn. That doesn’t mean it’s pervasive yet, but I’m making it our predilection.”

“The industry has always gone to market saying computers can do anything,” says Charney, who led the Department of Justice’s computer crime division and who was, before that, an assistant DA in the Bronx. “Then something happens and everyone says ‘fix it, make it secure.’ Of course it’s not that easy. We have to separate out the marketing and the reality” he says, then interrupts his own pause, “Not that the marketing is false. It’s just focused on certain things.”

All three CSOs are far more plain-spoken than their executive peers, and probably more frank than their CEOs wish they were. To wit, when Davidson discloses how much money patches cost Oracle, one wonders what CEO Ellison is thinking. One wonders even more what the head of the company that uses the dubious word unbreakable as an ad campaign is thinking when Davidson says, “I want no part of this self-congratulatory culture where you put out a press release saying you patched something or held up a product release for a week because of security. So what? Of course you did.”

All three work for companies that have in one form or another supported UCITA, the Uniform Computer Information Transaction Act, an overreaching and byzantine law that pro-vendor lobbies are trying to pass in every state. Part of UCITA aims to reduce vendors’ liability for poorly designed or insecure software. UCITA was characterized by Chris Wysopal of @Stake as the opposite of a lemon law. IT has largely stalled, though, and is undergoing major reworking after the American Bar Association refused to condone the law. Remarkably, none of the three CSOs said he or she was familiar with UCITA despite its importance to application security.

All three are quick to point out that the buyers of software get what they ask for. Microsoft’s Charney: “We can make IIS more secure by narrowing what is turned on as a default. But then customers have to make educated decisions about what to turn on. So it’s a great idea until they turn it on and something breaks and they come screaming ‘You broke all my apps!’ We like to think that we have all these knowledgeable IT managers all over the planet, but the truth is the technology has proliferated faster than we could pump out good talent, even at sophisticated companies.”

None of the three above is taking shots at the other twoan indication that while they are pro-security, they’re still pro-vendor first. Serious progress on the security problem could lose purchase to the sniping and vendor politics that all three participate in. Davidson at Oracle has made a minor art form of interlacing ostensibly subtle insults into her conversations. Testifying for a Congressional sub-committee, she said, “Let’s face it, all[i] vendors claim they are secure, even the ones who issue security patches for their products every two-and-a-half days.”

“My impression is Microsoft is doing repair,” Sun’s Diffey says. “I come to a ship whose hatches are reasonably tied down. I find it fascinating that Sun hired a geek as a CSO and Microsoft hired a lawyer.”

Charney triedand failedto take the high road. “If it’s fair criticisim, bring it on. Sun CEO Scott McNealy was negative about MIcrosoft’s focus on security, then he hires Diffey. That’s okay. If we all make security a theme, that’s great. Our products are so pervasive, their security affects more people. It’s kind of like the difference between a cargo plane and a passenger plane. You don’t want either to crash, but obviously, the passenger plane is far more critical. It has more lives on it. Tell Whit I said hello.”