SAN FRANCISCO -- The security chiefs of several large infrastructure and software vendors said they are doing all they can do to embed security into their products, but they agreed that more work must be done to improve security between their platforms.
While vendors have built in security controls to narrow the gap between their products and their partner products, gaps remain. That makes it difficult for IT security professionals to manage multiple platforms and secure transactions between various applications and servers.
In a roundtable discussion with attendees at the Burton Group Catalyst Conference Wednesday, the security chiefs from Oracle Corp., CA Inc., Microsoft Corp., EMC's RSA division and intrusion prevention system vendor Third Brigade said their organizations are working to be more proactive about security. Still, conference attendees said growing heterogeneous environments and the explosion of Web-based applications has made security difficult to control.
Secure software code is a priority at Oracle, said Oracle CSO, Mary Ann Davidson. She suggested more collaboration between vendors on security issues and called on the U.S. National Institute of Standards and Technology (NIST) to encourage the development of a secure software auditing standard. Davidson said such a standard could force better collaboration and ultimately reduce flaws in software code.
"Products need to be designed to be innately defensible," Davidson said. "It would boost the security worthiness of software."
Microsoft's Douglas Cavit, chief security strategist for trustworthy computing, said Vista's security improvements and the Redmond, Wash.-based vendor's Network Access Protection will enable third-party software vendors to boost security on the platform. NAP technology is included in Windows Vista, but won't be fully functional until the release early next year of the Longhorn server, now known as Windows Server 2008.
"We think it's important to have an open, transparent development process and an open vulnerability mitigation process," Cavit said.
Customers have been the main drivers for vendors to improve security in their products, said Bret Hartman, chief technology officer of RSA, who is responsible for defining EMC's corporate security technology strategy. Hartman said RSA and other vendors ensure that software works well and securely with their partners. Software will likely never get to the point where it functions securely with all vendors, he said.
"We need to do a better job in helping companies define the policies that they need to enforce," Hartman said. "Right now it's a very labor-intensive process."
After the panel session, conference attendees shared their frustration with software security.
If the top level vendors take a greater initiative to focus on improving security, the entire industry could improve, said David Wykoff, an IT client advocate at Falls Church, Va.-based General Dynamics Corp. Wykoff said standards need to be pushed to create better security between products.
"Certainly you would hope that there would be better standards then there are and less confusion for us corporations who are just trying to keep things as secure as we can," he said. "It's an uphill battle."
Security vendors have improved building security into their products, but cooperation can only go so far, said a security architect from a West coast financial services firm. Vendors want to satisfy their customers, but they first have to please their shareholders, he said.
"Their core function in life is to build products that create revenue," he said. "They will always have the presence of their business needs and that conflicting pressure puts a strain on cooperation."