Software code security critical issue
By SONIA KOLESNIKOV-JESSOP
http://www.sciencedaily.com/upi/index.php?feed=Science&article=UPI-1-2005042
5-08450700-bc-singapore-davidson.xml
SINGAPORE, April 25 (UPI) -- Only a few years ago, almost no books existed
on how to write secure software code. Now, with computer and Internet
security becoming more complicated and pervasive throughout the world
economy, experts deem it critical for businesses to understand the
vulnerabilities of the codes they are using.
Related Headlines
New software speeds bioattack cleanup (April 22, 2005) -- A new software
tool, developed by scientists at New Mexico's Sandia National Laboratory,
will help speed cleanup after a bioterror attack. The ... > full story
Hackers redirect web users to poison sites (April 21, 2005) -- Britain's New
Scientist magazine reports hackers can now trick computers to misdirect
users to fake Web sites that steal personal ... > full story
Analysis: New laws to fight ID theft urged (April 21, 2005) -- Consumer
advocates say the problem of identity theft is worse than consumers fear and
for many the question is when -- not if -- their identities ... > full story
The Web: 'Cookies' still a growing problem (April 20, 2005) -- Would anyone
willingly download a file from the Internet that can track his or her
movements online and provide that private information to ... > full story
Microsoft wins ruling (April 19, 2005) -- A federal judge in Baltimore has
granted a motion by Microsoft Corp. to dismiss claims the company
overcharged five California counties for Windows ... > full story
One example: A 2002 study by the U.S. National Institute of Standards and
Technology found software errors cost the nation's economy nearly $60
billion annually.
Many analysts agree that how to write secure software and ensure the
invulnerability of a company's IT assets are strategic corporate issues, and
that software developers generally need to improve the security of the codes
they write. Still, the move toward developing more secure codes has been
slow and has emerged only recently.
"A few years ago if you were talking about virus, people would think you had
a cold, but nowadays, many people are likely to think you're talking about
computers -- we've all been hit by the cyber plague," said Mary Ann
Davidson, chief security officer of Oracle Corp, told United Press
International.
Until just a couple of years ago, most security intrusions were conducted by
hackers showing off among themselves. Now, more than 50 percent of malware
-- short for malicious software -- is developed for criminal purposes,
Davidson said.
Software "holes," as she described them, are being exploited at a faster
pace, giving users very little time to react to new threats. The SQL Slammer
worm of 2003 took eight months to appear after the flaw it exploited was
first announced, while last year's MyDoom made the rounds in less than four
weeks.
Davidson said the software market is changing. Several companies are
offering automated tools to consumers that can help restore code security.
"I've seen a number of start-ups focusing on being able to detect a virus
entering the network and dynamically reconfiguring the network so to
quarantine it," she said. "There are automated tools that will look at your
code to fix your security which are just starting to hit the market."
Traditionally, security solutions have focused on solving software problems
at the network level, but even with a good firewall and anti-virus software,
underlying flaws in the code can compromise security. Governments, companies
and consumers alike are facing the growing problem of protecting sensitive
information from malicious intent, including identity theft, threats of
cyber-terrorism and corporate espionage.
"We have to think like an attacker to be a true defender," said Davidson,
who served as a commissioned officer in the U.S. Navy Civil Engineer Corps,
where she was awarded the Navy Achievement Medal.
Davidson said the security software industry is beginning to offer "more
ways of defending yourself," with a large focus on identity management --
such as using a single identity to enter several different Web sites.
"A recent study showed that the two top drivers for security purchases in
software is compliance and the Sarbanes-Oxley Act," she said, and added that
same study showed out of the top 10 products being bought, four were for
identity management.
The Sarbanes-Oxley Act -- passed in 2002 to strengthen corporate
accountability requirements -- has placed a greater burden on companies to
demonstrate due diligence on matters related to information security.
"Anybody that is a military strategist will tell you that you need defense
and depth," Davidson said. "I have a lock on my top drawer, but I also have
my valuables locked up separately, so you've got to go through two locks --
but too many bandages are not good either."
She said the market's dynamic for security -- and secure products -- is
changing and she thinks customers can and should drive the marketplace
toward greater security at lower cost.
"Software companies need to build easy products for the consumer," Davidson
said. "Grandma shouldn't need to be a software expert. She needs to get a
decent security tool and more products need to focus on working securely
without Grandma having to do anything."
She added that in today's reality, everyone needs "some general awareness
about how to stay safe online, just like you would teach children how to
cross the street. It doesn't mean that the majority of the burden should be
on the consumer. We have traffic lights to help us cross the street, but we
also need to remember to look both ways."
Oracle, along with Microsoft, has led a push for more secure software,
though it has seen its share of criticism recently over its move to issue
software patches to help reinforce vulnerability only on a quarterly basis,
vs. Microsoft's monthly patches. Davidson defended the move, however.
"Most of our customers asked us not to make them patch their network every
month," she said. "In fact, some of them only want to do major patchwork
once a year. We even have to think which date in the quarter we should
release the patches so that it will be the less disruptive for our
customers."
Sonia Kolesnikov-Jessop covers technology in Asia for UPI Science News.
E-mail: [EMAIL PROTECTED]
Copyright 2005 by United Press International. All Rights Reserved.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
