Strategien


Software-Sicherheit

The Big Fix

14.10.2002
Von Scott Berinato

Software development has been able to maintain its old-school,insecure approach because the technology industry adopted aless-than-ideal fix for the problem: security applications, amultibillion-dollar industry's worth of new code to layer on top ofprograms that remain foundationally insecure. But there's an importantsubtlety. SecuritySecurity features don't improve application security. Theysimply guard insecure code and, once bypassed, can allow access to theentire enterprise. Alles zu Security auf CIO.de

That's triage, not surgery. In other words, the industry has put lockson the doors but not on the loading dock out back. Instead of securingnetworking protocols, firewalls are thrown up. Instead of buildinge-mail programs that defeat viruses, antivirus software is slapped on.

When the first major wave of Internet attacks hit in early 2000,security software was the savior, brought in at any expense tomitigate the problem. But attacks kept coming, and more recently,security software has lost much of its original appeal. That - combinedwith a bad economy, a new focus on national security, pendingregulation that focuses on securing information and sheer fatigue fromthe constant barrage of attacks - spurred CSOs to think differentlyabout how to fix the security problem.

In addition, a bevy of new research was published that proves there isan ROIROI for vendors and users in building more secure code. Plus, a newclass of software tools was developed to automatically ferret out themost gratuitous software flaws. Alles zu ROI auf CIO.de

Put it all together, and you get - ta da! - change. And not just change,but profound change. In technology, change usually means morefeatures, more innovation, more services and more enhancements. In anyevent, it's the vendor defining the change. This time, the buyers arefoisting on vendors a better kind of change. They're forcing vendorsto go back and fix the software that was built poorly in the firstplace. The suddenly efficacious corporate software consumer is holdingvendors accountable. He is creating contractual liability and pushinglegislation. He is threatening to take his budget elsewhere if thecode doesn't tighten up. And it's not just empty rhetoric.

Zur Startseite