Check Point Software Technologies Ltd. recently revealed collaboration with the SANS Institute, an IT security research and education co-op, to integrate information SANS collects on security attacks from more than 100 countries with Check Point's SmartDefense attack-prevention app. By combining the two, Check Point customers will be able to automatically and anonymously send attack information they collect to the SANS Internet Storm Center. In return, they'll get worldwide information about new attacks and which Internet addresses the attacks are coming from.

The effort to make IT systems and networks more secure doesn't fall solely on security vendors. The fact that applications and operating systems come to market riddled with holes is the reason deploying software patches is such an important -- and costly -- task for security managers. Gartner estimates that a company with 1,000 servers can spend $300,000 to test and deploy a patch, and some companies have to deploy several patches a week. "The top of my list is patch management," Newmont's Kesl says. "Finding and patching vulnerabilities in software is a never-ending battle."

And a frustrating one. "Our security department was supposed to focus on designing proactive security policies," says an IT manager at a major energy supplier. "But all we do is put out the next fire, whether that's another Windows patch or chasing down alerts from the intrusion-detection system."

Software vendors say they're responding to market demand for more secure code by devoting more resources to software design and quality control. Microsoft's overwhelming installed base makes it the target of choice for hackers, and the vendor has responded to the growing number of attacks with a $100 million trustworthy-computing initiative to improve the security of its software and reduce the number of software updates and security bulletins it has to issue (see story, "Trust This: Microsoft Tries To Secure Windows"). That includes putting thousands of developers through 10 weeks of extra training to improve software design. "I applaud Microsoft for trying," Kesl says. "I just don't think anyone can secure these operating systems that keep doubling in size with each new version."

	It could take seven years for vendors and app developers to produce more reliable software, Sanctum CEO Weigle says.

At least one observer thinks it's helping. Web-app security vendor Sanctum Inc. tests new software releases, and Microsoft's .Net platform "is the most secure we've found of the new platforms," CEO Peggy Weigle says. "That's not to say there are no holes. But it's not so bad that you can drive trucks through it." That's still far from where the software industry needs to be, whether it's independent software vendors or businesses writing custom apps. "Many vendors are getting better, but it will take five to seven years before we'll see really reliable software," she says.

Building better software is important, because most attacks are aimed at known weak spots in applications and operating systems, according to the InformationWeek Research 2002 Global IT Security Survey, fielded by PricewaterhouseCoopers. Some 47% of companies surveyed this year say they were hit by attacks aimed at a known operating-system vulnerability, up from 33% last year. Attacks against known flaws in applications more than doubled in the same period, to 30% from 12%.

To block such attacks, software and hardware vendors are working together more closely. Sanctum expects by next month to have integrated its AppShield firewall into Internet traffic-management vendor F5 Networks Inc.'s BIG-IP Application Traffic Management device, so it can monitor application traffic and prevent unauthorized behavior. Last week, Okena Inc. struck a deal to integrate its intrusion-prevention software into a Unisys Corp. server. Sanctum's Weigle predicts application firewalls increasingly will be built into network security devices and the fabric of the network. Gartner's Pescatore says this makes sense: "Seventy-five percent of Internet attacks come through the application layer, and network-equipment makers see security as a potential revenue enhancer."

For chief security officers, however, security is all about preventing loss, and vendors have a long way to go in helping businesses protect their IT resources. "Software has to become much more secure, and the security tools we use have to become much more manageable," Kesl says. "We just ran a vulnerability scanner that told us we were vulnerable to flaws in software we don't even have installed."

Vendors admit it's slow progress in what's still an emerging sector of business technology. Software developers will continue to make mistakes and try approaches to security that won't work. Applications will be rushed to market before all their flaws are detected. And hackers will continue to exploit vulnerabilities. Predicting when better security tools will arrive, or what those tools will look like, is as tough as figuring out what the next great hack attack will be. "Anyone who tells you they know what's going to happen in security in the future has an overinflated view of their prescience," says Network Associates' Hodges. Then again, security managers already know that.

Illustration by Michael Morgenstern.
Photo of Hartmann by Sacha Lecca
Photo of Weigle by Eric Mellette./font>