NEW YORK -- Enterprises need only look at the $2.4 billion cleanup costs that Nimda and Code Red wrought on the...
industry in 2001 to demonstrate the dire need for securely developed software. Last year's mega bits of malware crawled through gaping holes in Microsoft's Internet Information Server (ISS) Web server software, leaving devastated IT shops in their wake.
But secure software will not be a reality until vendors hear the outrage from IT and adopt a strong culture of security from the outset of the development process, said Oracle chief security officer Mary Ann Davidson.
"Customers should be screaming at their vendors for secure products," Davidson told more than 200 enterprise IT managers Wednesday at the Yankee Group's Securing the Enterprise conference.
Davidson offered Oracle's development team as an example of how security is ingrained in a development team, top-down and stressed that every enterprise would do well to adopt a similar internal philosophy.
Not only does Oracle have to live up to its CEO Larry Ellison's "unbreakable" claims about the company's software, but also Oracle runs on its own product in-house. Its best customer is its own IT shop, Davidson said. And that lesson can and should be applied across the board in any enterprise, she said.
"Make it part of your corporate DNA. Foster an environment of security," Davidson said.
Davidson said a secure development process must come with what she called "information assurance," or a level of confidence that a project was done properly. There also has to be instant response to reported vulnerabilities and finally, configuration and installation must be done correctly to be secure, else they become vulnerabilities too.
"In our case, you can't have a culture that stops at development and security becomes someone else's problem," she said.
Oracle's corporate security culture begins with standard, best practices. Davidson has established secure coding standards and a centralized code library for Oracle's developers, who must also attend hacker classes.
"Security is part of the design process," Davidson said. "All specifications have their own security sections while in development."
There are also test suites for security where regression tests are performed on vulnerabilities so that in future versions, the same vulnerability is not written into code, she said.
The stringent coding environment does not end, however, with the completion of code writing. Davidson said third parties perform evaluations on code against defined security criteria for an extra level of assurance.
"They evaluate the design, development, testing and delivery of a product," Davidson said. "Evaluations force a secure development process. They create a culture of security because an organization has to make a long-term investment to do them."
Some evaluations cost between $500,000 and $1 million and take months to complete, she said. Companies, however, run the risk of a product becoming obsolete in that time period. Davidson counters that with risk assessments from ethical "white-hat" hackers who penetrate any coding holes and allow for repair time before software is brought to market.
"The benefit is a significant cost-avoidance," Davidson said. "Oracle doesn't have to pay to fix holes on all the platforms it supports and customers don't have to pay to apply patches on all their servers."
Before releasing an application, Oracle developers have a running checklist of security questions they must fulfill before a product is brought to market, sort of a failsafe that prevents costly errors. "They have to answer questions like, 'Did you hard code a password?' and 'Do you use random number generators for crypto?' " Davidson said.
Davidson adds that none of this can proceed without a high-level commitment on the part of management. CSOs like her are becoming noticed more often and giving someone that kind of clout in an organization is vital to the fostering of a secure corporate culture.
"You have to have a CSO with authority and responsibility," she said. "And they have to have reinforcement from the top. I like to call it a silver bullet. I can always go to Larry (Ellison)."