The recent Slammer worm hit some large enterprises, including Microsoft, by exploiting a vulnerability in Microsoft's SQL Server and Desktop Engine. This highlights a problem that some companies are addressing by asking software vendors for the right to audit their software for flaws before purchase.
Now, no one believes customers auditing software is a panacea for vulnerabilities. If that were the case, then open-source software would be virtually vulnerability-free, since anyone with a computer and Web access can view the source code.
Microsoft has just such a program; it allows large enterprise and government customers to access Windows source code to allay their security fears (though the code cannot be altered, nor can it be distributed). Sun Microsystems Inc. has a similar program for accessing source code of its flavor of Unix, Solaris.
During a recent SearchSecurity.com newscast, vulnerability finder Mark Litchfield was asked why software companies don't find the flaws that he and his ilk do. He said vendors do scour their software for flaws but, since modern applications are so complex, not all vulnerabilities can be found.
So why would a company want to audit software code? For starters, a company may be able to look for vulnerabilities that would specifically affect how they plan to configure their systems. But the mere act of asking to audit software sends a message to vendors. In other words, it's like asking to inspect a used car before buying it. The salesperson would realize you are a serious buyer and may tell you about some of the defects before you find them yourself.
Jeffrey Guifoyle, vice president of systems and security for Omaha, Neb.-based Solutionary, a managed security services provider, has seen customers start to look at security as more of a critical factor in the software purchase decision. "[Application service providers] are also a prime target for vulnerability assessment prior to making a final decision, as their software is often even more susceptible, since it is often Internet-accessible," he said.
Much like many car buyers don't have the knowledge to conduct a mechanical inspection of a car themselves, many companies can't audit a piece of software for security vulnerabilities. Hence, the practice of auditing software is probably more the domain of large enterprises and governments because they will have the expertise to check the software and the buying power to demand it.
There is a mixture of opinion over the true value of source code access. Vulnerability finders such as Litchfield are able to find flaws without code access. Some experts doubt the practice will catch on and wonder whether it has much value in the first place. "While it is possible to catch some common errors, such as buffer overflows, it is impossible to catch all insecurities," said Stephen Mencik, senior information security engineer with ACS Defense Inc.
Mencik would like to see slower software development cycles, which would allow programmers to use better techniques -- so the code would be better in the first place. "The vast majority of people that buy software are not willing to pay additional [money] for the development practices needed and the expense of independent evaluation," he said.
Mark Doll, director of Ernst & Young's security and technology solutions practice for the Americas, sees another approach that large companies may employee. Large customers can tell vendors they know vulnerabilities will be found and that they will need to patch their systems. "They could say they would need a full-time person to keep up with patches and then negotiate to pay say $80,000 less," he said.
FOR MORE INFORMATION:
- FEEDBACK: Is your enterprise considering asking vendors for the ability to audit software prior to purchase?
Send your comments to News Writer Edward Hurley.