This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
"Microsoft has made [security investment], but it's not clear that it's gone all the way yet," Spafford says. "Had Trustworthy Computing not occurred, we'd be in much worse shape than we are now. Other vendors need to get with it."
Amoroso says we're stuck with bad software--for now.
"If you look at other branches of engineering such as electrical engineering, these are fairly mature branches of engineering--thousands of years of experience built on principles. If you study engineering, there's a routine curriculum no matter where you go," Amoroso says. "Software engineering doesn't enjoy that kind of maturity. You couldn't get a software engineering degree in 1980. We have to deal with the immaturity of it as a discipline. But each year that passes, we learn more about it, and programming gets better. In the meantime, we have to be somewhat reactive. I'll say that probably in my lifetime, we won't see massively sized, complex software that's actually correct."
Adding to the complexity is the depth of the vendor pool through which security managers must wade and execute make-or-break buying decisions. The boom days of the early 2000s sprouted hundreds of companies, each with a solution to the day's most pressing problems. Unfortunately, most ended up being just different takes on the same technology, and reactions to the threat of the day. Patch management
| and vulnerability management firms popped up in response to Microsoft's Patch Tuesday releases. Intrusion prevention made headway against signature-based intrusion detection systems. Antivirus software became commoditized, and providers began to differentiate themselves with antispyware and antispam offerings.
This was first published in January 2008