SAN DIEGO -- For months, even years, user communities have argued that poor software quality is now such a critical security issue it can't be ignored anymore. But it can't be fixed easily, either.
During different discussions on the closing day of the Burton Group Catalyst Conference last week, experts described the conundrum facing enterprises large and small dependent on flawed software in an increasingly threatening online world. The number of software holes in applications running critical systems continues to grow while the window of opportunity before they are exploited is shrinking.
A lot of security software provides "low security," mainly because it takes time, process and skills to build quality -- investments many vendors are unwilling to make because of the frantic market pace, commented Burton Group principal analyst Fred Cohen. "You can't get cheap stuff that works well and you can't buy expensive stuff because there's no market for it. So you end up customizing."
But customization also can be cost-prohibitive, especially when coupled with enterprise expenses tied to patching vulnerabilities, whether it's in software to protect a network or to perform some other function.
Cohen noted that the cost of auditing code in pre-production amounts to $1 a line. "I think it's despicable to not spend a dollar per line to avoid global catastrophe."
Others, including vendors, agreed that the security industry needs to push for higher standards -- for
"I think we all have the same problem and we're all trying to fix it. And I think it's going to take the entire community to do that," said Sherry Ryan, CISO for Hewlett-Packard Inc. during a roundtable discussion on security challenges.
Suggestions ranged from the half-serious, such as ticketing developers who produce lousy software to the point of revocation, to the more practical push for universal adoption of security standards like Generally Accepted Information Security Principals (GAISP), ISO 1799 and Trusted Computer System Evaluation Criteria (TCSEC). There also was endorsement for product certifications such as Common Criteria and higher grades of Evaluation Assurance Level (EAL).
But one reason more vendors don't pursue such certifications, such as different flavors of FIPS, is because users don't demand it. And such evaluations can cost software makers hundreds of thousands of dollars, maybe more.
"If you won't buy it because it doesn't have certifications, tell us and we'll do something about it," said Diana Kelley, security strategist with Computer Associates' eTrust security line.
Most importantly, users need to put pressure on vendors -- with their mouths and their money. Already there are industry leaders, such as the Business Roundtable, lobbying for congressional support for safer software. A particular target are end user license agreements that prevent customers from suing for shoddy product that jeopardizes business and weakens public safety when critical infrastructure networks or private data are breached. "We're all already paying for crappy code. It's a social cost. But the vendors aren't paying," said Mary Ann Davidson, CISO for Oracle Inc.
John Stewart, senior director of corporate security programs for Cisco Systems Inc., argued that suing vendors isn't the answer. "I think market economics is stronger than lawsuits," he said.
But some smaller vendors say the cost for raising the security baseline too high and too quickly discriminates against younger startups, who frequently provide technological innovation but can't afford extensive code auditing.
One smart card vendor said it took her company more than a year to gain FIPS certification to market its software to the Department of Defense, a lead adopter of the technology. "This is not an even playing field," said MartSoft Corp. CEO Yuh-Ning Chen. "You can kill a lot of creativity and you can kill a lot of companies."
Many, however, agreed with Goldman-Sachs CISO Phil Venables, who also rallied for better product. "We need more secure products, not more security products."