Put pressure on vendors says SANS

Put pressure on vendors says SANS
Put pressure on vendors says SANS 

By Jeremy Kirk
IDG News Service
24 April 2008

Companies are having more success in pressuring software vendors into 
including security into their products, a trend that vendors are 
resisting less, according to one security expert.

Before granting a contract, companies now are requiring that vendors 
also test software patches on systems with the same configurations as 
users are running, said Alan Paller of SANS, an IT training 

Another new trend is groups of companies agreeing on base security 
standards for applications and then passing those requirements onto 

"It's using the contracts to shift the responsibility for security 
upstream to the vendor where the economies of scale make it [security] 
cost effective," Paller said.

Software makers have fought the initiatives "tooth and nail," but are 
coming around, Paller said. "They don't like the users to take control," 
he said. "They want to control the buying process, so they don't like 
this idea, but there isn't any other idea that's a good one for fixing 
these problems."

The requirement comes after companies have struggled with slow patching 
cycles and rising risks that come with deploying insecure Web-based 

Websites are rife with security problems: In 2006, the Web Application 
Security Consortium surveyed 31,373 sites and found that 85.57 percent 
were vulnerable to cross-site scripting attacks, 26.38 were vulnerable 
to SQL injection and 15.70 percent had faults that could let an attacker 
steal information from databases.

"This is a big problem," Paller said. "We've got to get it fixed in a 

Vendors have typically only tested their software patches on machines in 
default configurations, which isn't representative of the real IT world, 
Paller said. Many businesses use custom applications with custom 
configurations, which require rigorous testing to ensure a patch won't 
break their applications.

The US Air Force was one of the first organisations that tried a new 
approach when contracting IT systems with Microsoft and other 
application vendors about two years ago to enable speedier patching, 
Paller said.

The Air Force's CIO at the time, John M. Gilligan, consolidated 38 
different IT contracts into one and ordered all new systems to be 
delivered in the same, secure configuration. Then, he ordered that 
application vendors certify that their applications would work on the 
secure configurations, Paller said.

Then Gilligan took his case to Microsoft. At the time, it took the Air 
Force about 57 days between the time a patch was released until their 
450,000 systems were up-to-date. Gilligan wanted Microsoft to test its 
patches on machines with the same configuration as the Air Force's, 
shifting the cumbersome testing process back to the vendor.

The negotiations, which didn't start off well, culminated with a meeting 
with CEO Steve Ballmer. "The story is that he [Gilligan] used a 
four-letter word in the meeting," Paller said. "You know what the 
four-letter word was? Unix."

Gilligan won. Now, the Air Force can patch in about 72 hours now, and 
they're looking to cut that to 24 hours, Paller said. The idea was so 
successful that as of 1 February, the US government implemented the same 
conditions for all of its agencies.

Another sea-change is under way in security: Training application 
developers in security. Traditionally, security has never been a part of 
computer programming courses. Paller said he's been making the case for 
stronger security training, but in many times received a cold shoulder 
from universities, who have little incentive to change their ways - 
until now.

Heavyweight IT companies are warning universities that they don't want 
to have to send new hires to remedial security training. Mary Ann 
Davidson, chief security officer at Oracle, wrote earlier this month 
that she contacted the top 10 universities the company recruits from, 
saying only those with security training would get preference in hiring.

That's an embarrassment to universities, which will now likely modify 
their curriculum accordingly. Interestingly, developers want security 
training. "The programmers want to know what they don't know," Paller 

Subscribe to the InfoSec News RSS Feed 

Site design & layout copyright © 1986-2014 CodeGods