informa
/
2 min read
article

Built-In Software Security Flaws Have Companies Up In Arms

More than half of those responding to InformationWeek Research's Global Security Survey 2006 say vendors should be held legally or financially responsible for products' security vulnerabilities.
Buggy software is the cause of serious security headaches, and U.S. business technology professionals have had enough: More than half of those responding to InformationWeek Research's Global Security Survey 2006 say vendors should be held legally or financially responsible for products' security vulnerabilities.

The level of responsiveness required to manage security patches is "painful," says Joe Dial, information security administrator at the Newport News, Va., offices of Siemens VDO Automotive, an auto electronics maker. Keeping up with patches takes up most of Dial's time, even though he also manages the facility's Internet connectivity and other networking projects.

Patch management requires companies to trust their vendors, who often protect their intellectual property by not disclosing just how they're fixing a vulnera- bility. Microsoft is one such vendor; its monthly patch downloads introduced the term "Patch Tuesday" into the IT vernacular. "In the past, [Microsoft] made it easy to be hacked," Dial says. "As a result, you have to be extremely proactive, which is hard when you don't know what's included in the patches Microsoft offers."

Dial credits Microsoft for issuing patches promptly, at least. Oracle, on the other hand, issues patches quarterly, and they often disrupt Siemens VDO Automotive's systems. Third-party patches, which gained prominence this year when Microsoft was slow to patch its Windows Meta File vulnerability, aren't an option for Siemens VDO Automotive. "I'm not going to go to hacker or cracker Web sites and do secret handshakes with people just to keep up with all of the threats to my network," Dial says.

General Motors' IT operations are completely outsourced, but chief security officer Eric Litt ultimately is responsible for the carmaker's systems and data security. GM makes all its own IT-related decisions but requires a lot of help from vendors. Litt would like vendors to provide enough information about new vulnerabilities so GM can protect itself before the patches arrive. That doesn't always happen. The real solution, he says, lies in vendors selling more secure products.

Continue to the sidebars:
Outsourcers Fill Businesses' Security Gaps
and Global Differences

Return to the story:
InformationWeek Global Security Survey 2006: Controlled Chaos