Companies have made big investments in security, and even though keeping security current isn't as exciting as, say, investing in technologies that generate revenue, it still ranks among businesses' top priorities.
In the coming year, businesses and software vendors won't expect any reprieve from ever-inventive malware and hackers. InformationWeek Research's Outlook/Priorities 1Q 2006 survey of 300 business-technology professionals ranks updating security tools, policies, and procedures as the third most-important priority for businesses in early 2006. It's a priority beaten only by efforts to simplify or optimize business processes and cut IT costs, and ranked higher than boosting worker productivity and improving customer service.
Still, only 62% of respondents flagged security as a top priority. That's the lowest percentage in InformationWeek Research's past six priority studies. It was rated a top priority among 82% of respondents at this time last year, and received an all-time high respondent rate of 91% in the 2Q 2004 study.
One reason may be that some businesses have just completed major security updates. Another reason might be that more businesses are making security a strategy of their software and system development from the onset, rather than adding on security technologies after software or systems are deployed. "There's a shift in spending from add-on threat prevention to building in security from the ground up," says Paul Stamp, an analyst at Forrester Research.
Vendors Sign on
It's an approach software vendors are taking, too. While regular patch downloads from Microsoft, Oracle, and others have become the norm, in the coming year, look for vendors to redouble their efforts to get things right the first time.
Late last month, Oracle said it planned to start using Fortify Software Inc.'s Source Code Analysis tool to look for potential vulnerabilities in software being developed, including its application server, collaboration suite, database server, and identity-management software. "Patches are expensive for us to issue and for customers to apply," Oracle chief security officer Mary Ann Davidson says. "What you want to do is avoid this in the long run."
Oracle chose Fortify because other products couldn't analyze a code base the size of Oracle's, Davidson says. Oracle's technology stack consists of more than 30 million lines of code and is constantly changing as the company develops new versions of software.
Fortify's software also proved more accurate than other code-analysis tools Oracle tested. "False positives have been the bane of my existence," Davidson says. "A high false-positive rate makes the security problem worse. You have programmers chasing their tails."
Code-analysis tools aren't new, but they're doing new types of things. Earlier incarnations were primarily designed to test programs to make sure that areas of code executed according to plan, so that users got the experience that vendors promised. New technologies such as Fortify's, as well as Agitar Software's Agitator, Parasoft's JTest and C++Test, and Watchfire's AppScan, are tuned to address security holes during the application-development and testing phases. "Instead of looking at what the code should be doing, we look at what the code should not be doing," Fortify CEO John Jack says.
Another way software vendors and businesses developing their own custom applications will improve security this year is to build security features such as user authentication, data encryption, and identity management into the software.
There are products coming onto the market that will help. 2factor Inc. in February will begin shipping its Real Privacy Management software development kit, which is designed to let companies develop applications that perform continuous, mutual authentication and encryption. Unlike Secure Sockets Layer encryption, 2factor says its new product will authenticate and encrypt every transmission for both sender and receiver across any network, on any device.
The framework will offer open specifications that let authentication technologies such as hardware and software tokens, smart cards, and biometrics interoperate across networks. It's an important development because the Federal Financial Institutions Examination Council, a government standards body, has stipulated that financial-services companies must create two-factor authentication for online applications by year's end.
The next step in the evolution of authentication technology is mutual authentication between a business and its customers, which lets customers create a personal page that they use each time they log on to a company's Web applications. If the customer is directed to a logon page without the specified personal information, such as a favorite phrase or a digital photo of a pet, the customer is warned that the page might not be legitimate.
Since security is a numbers game that weighs risk against cost, companies in 2006 would do well to assess the level of risk in their IT environments and invest accordingly in security technology and user education. The price of securing networks and Web applications may be minimal when compared with lost business opportunities or, worse, lost or stolen data.
Illustration by Dan Page/Theispot.com