Strategien


Software-Sicherheit

The Big Fix

14.10.2002
Von Scott Berinato

The government has for more than a decade tried to implement such apolicy, but it has been put off. Vendors have routinely been able toreceive waivers through loopholes in order to avoid the process. TheJuly move is considered a line in the sand. With national security oneveryone's mind, experts believe waivers will be harder to come by.The Navy is telling kvetching vendors to use NSTISSP no. 11 as a wayto gain a competitive advantage. At any rate, products will have to besecured, or the government won't buy them. Like GE's contract, thismakes software better for everyone.

The ability of the public sector to whip vendors into shape onapplication security is best represented, though, by John Gilligan,CIO of the Air Force, who in March told Microsoft to make betterproducts or he'll take his $6 billion budget elsewhere. It was achallenge by proxy to all software vendors. At the time, Gilligan saidhe was "approaching the point where we're spending more money to findpatches and fix vulnerabilities than we paid for the software." And hewasn't shy about labeling software security a "national securityissue."

Microsoft Chief Security Strategist Charney called himself a "nudgeand a pest by nature," and he may have found his counterpart inGilligan, who in addition to mobilizing the Air Force is encouragingother federal agencies to use similar tactics. Gilligan says he wasencouraged by Bill Gates's notorious "Trustworthy Computing" memo - hismea culpa proclamation in January that Microsoft software must getmore secure - but that "the key will be, what's the follow-through?"

Nudging Vendors

Gilligan is right, and clever, to invoke patches as a major part ofhis problem. If a vendor is not convinced that securing applicationsis a good idea after getting proof of an ROI from securingapplications early, or after gaining the favor of large customers bysubmitting to a certification process or to a contract with stronglanguage, then patches might do the trick.

Zur Startseite