Companies Pay Up To Plug Holes

It can cost $700 per desktop and $900 per server for laser manufacturer Coherent Inc. to patch its systems when a new software security vulnerability is discovered. Coherent runs roughly 1,700 desktops and 100 servers--which means the company can spend $90,000 to patch just one software flaw on all its servers, and almost $1.2 million to patch a security vulnerability in all its desktops. "That's profit, right out of the bottom line," says Jason Painter, corporate Webmaster at the Santa Clara, Calif., company.

Coherent isn't the only business footing the bills. The pace of new software defects with security implications is growing rapidly. Last month, the FBI's National Infrastructure Protection Center published a list of 63 security holes found in commercial applications between March 15 and April 4. Thirty-four of the flaws were labeled high risk, which means intruders can use them to gain immediate access to a system.

This steady drumbeat of new flaws is turning security administrators into firefighters. According to a recent study by Security Focus, 42% of security administrators spend more than two hours a day searching for new security-vulnerability information; 18% spend more than six hours a day.

It seems like what vendors are doing is releasing applications, "letting the hackers have fun, and then patching them after the fact," laments Bryan Covey, computer systems administrator for Panel Components Corp., an electrical components manufacturer in Oksaloosa, Iowa.

The chief information security officer at a national financial-services company says the problem comes down to speed and cost. "Years back, quality was the priority. Then it became 'get it out now.' Quality went into the trash," he says. The recent tech slowdown has helped developers focus more on building quality code, he adds, "but it hasn't gotten back to where it was." His company uses Sanctum Inc.'s AppScan to ferret out holes through which hackers might try to slither. Then the company throws a team of ethical hackers--hired to attempt to break in to systems to find vulnerabilities--at the Web site. "They find the stuff the scanner software isn't designed to. Between the two techniques, you catch a lot," he says.

Many contend software is simply too complicated to perfect. "You have to go into things with your eyes open," says Ron Richards, corporate audit and security services officer for travel-planning company Worldspan L.P. in Atlanta. Ironclad software would be too expensive to develop, he says.

Others disagree. "You don't buy a car expecting it to fail," says William Guttman, professor of economics and technology and director of the software center at Carnegie Mellon University. "Software is never going to be perfect, but we've had so many problems, I think people have just given up on the idea."

Administering patches remains a time-intensive, manual process at most companies. In InformationWeek Research's software-quality study of 800 business-technology professionals conducted last month, only a quarter automatically download software patches or bug fixes, while just over 60% do so periodically or in response to a problem.

No wonder security professionals are so down on the software vendors and their apps. "Software stinks," says the chief security officer at an electric utility company. "I became a security officer because I want to protect this company's assets from threats inside and outside, not manage teams of administrators running around patching servers and applications because they're not being developed properly. I'm tired of this entire scene, and so is every security officer I know."

close this window