Business & Finance
News
2/16/2007
01:15 PM
Connect Directly
RSS
E-Mail
50%
50%

From Security To Sanity

What breakthrough does AT&T senior VP and chief security officer Ed Amoroso want from vendors? Try a bit of sanity. He spoke last week with editor-at-large Larry Greenemeier.

InformationWeek: Patching software has become widely acceptable, but can IT vendors and the industries they serve continue this way?

Ed Amoroso, AT&T's senior VP and chief security officerAmoroso: "Patch," unfortunately, is a euphemism for "error," for "mistake." And when you think of it as, "Here's a patch, and all I need is this little piece of software and everything will be all right," I think that glosses over what it is that we're really talking about here. Until you've lived through a problem that's exploited through one of these errors, you just don't get it.

InformationWeek: What's at stake for users who don't commit themselves to patching software as quickly as possible?

Amoroso: If you don't patch within a day or so, there are umpteen exploits all over the Internet that can be grabbed and put in a worm or botnet, harness, and just aimed at [unpatched] computers. Once you're caught, you now have a bot running on your computer. AT&T Labs estimates that on any given day there is a minimum of 10 million bot-infected PCs actively targeting other systems for the purpose of infecting, sending [distributed denial-of-service] attacks, sending spam, etc. That strikes me as a cancer on the Internet.

InformationWeek: How do we break this cycle?

Amoroso: The only way we'll ever get to the point where the software that powers our infrastructure is fully secure ... is to treat software engineering as a legitimate discipline. We completely underestimated how difficult it is to write software correctly.

InformationWeek: Is there some innovative new security technology that can put IT departments on equal footing with those attacking their systems?

Amoroso: I encourage [vendors] to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up. You figure out why the building is crumbling. We don't need more innovation, we need more sanity to recognize that we've got vulnerabilities in our software, and systems that are so complicated that you have no clue how people get in. ...

InformationWeek: How do chief security officers best work with CIOs?

Amoroso: We're usually joined at the hip, with many common goals. If you have a good CIO, ... then that CIO is going to be extremely demanding and not put up with holes in infrastructure, not put up with obvious problems, gaps in services, and so on.

Amoroso: "Patch" is a euphemism for "mistake"

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.