On mySimon: Nike SB Eugene Backpack
BNET Business Network:
BNET
TechRepublic
ZDNet

Talkback

Add your opinion
advertisement

From our video sponsors

advertisement
Fortify urges security rethink

Roger Thornton of Fortify says as companies spend more on information security, the number of exploits continues to rise. He says it's time to re-examine the security around software.

Hi, I'm Roger Thornton, CTO of Fortify Software. The subject today is information security, more specifically, the security dilemma, one, two, three.

One, if we were to take a look at information security today and give it a grade, what grade do you think it would get? Well, let's take a look at some facts. Today, businesses are spending more money than they ever have on securing information systems, protecting them from worms, viruses, malicious insiders and hackers. Literally billions of dollars are being spent on this and the desired effect is for the exploits that rob private data and harm systems to go down. But I probably don't have to tell you that those exploits are rising and are, in fact, at an all time high. Our hacker math is all wrong.

Two, why is that? Well, what do the experts have to say? According to the national institute of standards and technology, 92% of all the vulnerabilities that they tracked in 2003 were actually at the application level, operating systems and business applications, not at the network. According to the Gartner group, last year 70% of all the information system vulnerabilities and large corporations were again at the application software level, not at the network. It has something to do with the way that we think about security. Traditionally, we think about protecting the thing that's important to us. In this case, it's the software that holds our business data and automates business processes, and we put it behind walls so that the bad guys can't get at it. Well, about 10 years ago, what we figured out, if we took computer programs and we poked through those walls and made those programs talk to other programs, we got things like the World Wide Web, e-mail, instant messenger. Well when business got a hold of this technology, they did all sorts of things like integrating, manufacturing systems, moving inventory part information between companies, automating financial systems, moving financial information between companies, automating healthcare systems, moving health care information in real time, synchronized transactions between businesses. What does this do to our security profile? Well, what it does is, it makes these walls less effective or maybe even absolutely ineffective at protecting the software.

This is at the heart of what's causing us the problem with our hacker math, if we're able to make the software itself fundamentally secure, then the fact that it's poking through our walls fireware, firewalls, intrusion detection systems, and so forth, we will get a handle on our hacker math and a number of exploits will go down. So I would say, we don't have a security dilemma, today we have a software dilemma.