Wanted: Up-Front Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
02:55 PM

Wanted: Up-Front Security

Security built into software and systems will be a high priority for businesses in 2006.

Companies have made big investments in security, and even though keeping security current isn't as exciting as, say, investing in technologies that generate revenue, it still ranks among businesses' top priorities.

In the coming year, businesses and software vendors won't expect any reprieve from ever-inventive malware and hackers. InformationWeek Research's Outlook/Priorities 1Q 2006 survey of 300 business-technology professionals ranks updating security tools, policies, and procedures as the third most-important priority for businesses in early 2006. It's a priority beaten only by efforts to simplify or optimize business processes and cut IT costs, and ranked higher than boosting worker productivity and improving customer service.

Still, only 62% of respondents flagged security as a top priority. That's the lowest percentage in InformationWeek Research's past six priority studies. It was rated a top priority among 82% of respondents at this time last year, and received an all-time high respondent rate of 91% in the 2Q 2004 study.

chart: Less UrgencyOne reason may be that some businesses have just completed major security updates. Another reason might be that more businesses are making security a strategy of their software and system development from the onset, rather than adding on security technologies after software or systems are deployed. "There's a shift in spending from add-on threat prevention to building in security from the ground up," says Paul Stamp, an analyst at Forrester Research.

Vendors Sign on
It's an approach software vendors are taking, too. While regular patch downloads from Microsoft, Oracle, and others have become the norm, in the coming year, look for vendors to redouble their efforts to get things right the first time.

Late last month, Oracle said it planned to start using Fortify Software Inc.'s Source Code Analysis tool to look for potential vulnerabilities in software being developed, including its application server, collaboration suite, database server, and identity-management software. "Patches are expensive for us to issue and for customers to apply," Oracle chief security officer Mary Ann Davidson says. "What you want to do is avoid this in the long run."

Oracle chose Fortify because other products couldn't analyze a code base the size of Oracle's, Davidson says. Oracle's technology stack consists of more than 30 million lines of code and is constantly changing as the company develops new versions of software.

Fortify's software also proved more accurate than other code-analysis tools Oracle tested. "False positives have been the bane of my existence," Davidson says. "A high false-positive rate makes the security problem worse. You have programmers chasing their tails."

Code-analysis tools aren't new, but they're doing new types of things. Earlier incarnations were primarily designed to test programs to make sure that areas of code executed according to plan, so that users got the experience that vendors promised. New technologies such as Fortify's, as well as Agitar Software's Agitator, Parasoft's JTest and C++Test, and Watchfire's AppScan, are tuned to address security holes during the application-development and testing phases. "Instead of looking at what the code should be doing, we look at what the code should not be doing," Fortify CEO John Jack says.

Another way software vendors and businesses developing their own custom applications will improve security this year is to build security features such as user authentication, data encryption, and identity management into the software.

There are products coming onto the market that will help. 2factor Inc. in February will begin shipping its Real Privacy Management software development kit, which is designed to let companies develop applications that perform continuous, mutual authentication and encryption. Unlike Secure Sockets Layer encryption, 2factor says its new product will authenticate and encrypt every transmission for both sender and receiver across any network, on any device.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll