Follow Us

Put pressure on vendors says SANS

A four-letter word could be the answer.

Companies are having more success in pressuring software vendors into including security into their products, a trend that vendors are resisting less, according to one security expert.

Before granting a contract, companies now are requiring that vendors also test software patches on systems with the same configurations as users are running, said Alan Paller of SANS, an IT training organisation.

Another new trend is groups of companies agreeing on base security standards for applications and then passing those requirements onto vendors.

"It's using the contracts to shift the responsibility for security upstream to the vendor where the economies of scale make it [security] cost effective," Paller said.

Software makers have fought the initiatives "tooth and nail," but are coming around, Paller said. "They don't like the users to take control," he said. "They want to control the buying process, so they don't like this idea, but there isn't any other idea that's a good one for fixing these problems."

The requirement comes after companies have struggled with slow patching cycles and rising risks that come with deploying insecure Web-based applications.

Websites are rife with security problems: In 2006, the Web Application Security Consortium surveyed 31,373 sites and found that 85.57 percent were vulnerable to cross-site scripting attacks, 26.38 were vulnerable to SQL injection and 15.70 percent had faults that could let an attacker steal information from databases.

"This is a big problem," Paller said. "We've got to get it fixed in a hurry."

Vendors have typically only tested their software patches on machines in default configurations, which isn't representative of the real IT world, Paller said. Many businesses use custom applications with custom configurations, which require rigorous testing to ensure a patch won't break their applications.

The US Air Force was one of the first organisations that tried a new approach when contracting IT systems with Microsoft and other application vendors about two years ago to enable speedier patching, Paller said.

The Air Force's CIO at the time, John M. Gilligan, consolidated 38 different IT contracts into one and ordered all new systems to be delivered in the same, secure configuration. Then, he ordered that application vendors certify that their applications would work on the secure configurations, Paller said.






Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

State of software security report volume 4

If your business has anything worth protecting, be it money, intellectual property or a trusted...

Download Whitepaper

New threats demand innovative responses

Financial institutions in the UK remain susceptible to further systemic problems, as challenging...

Download Whitepaper

Delivering a competitive advantage through IT

IT organisations share a common mission; to optimise investments and streamline operations to...

Download Whitepaper

6 tips to mobilise your existing ERP

Enterprise mobile users throughout the global business community will number 1.19 billion by...

Download Whitepaper

Techworld UK - Technology - Business

Techworld Awards

Techworld Awards Winners 2011


Learn who the winners of this year's Techworld Awards are. Video footage coming soon...

Find out more
Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

Site Map

* *