From Security To Sanity

What breakthrough does AT&T senior VP and chief security officer Ed Amoroso want from vendors? Try a bit of sanity. He spoke last week with editor-at-large Larry Greenemeier.

InformationWeek: Patching software has become widely acceptable, but can IT vendors and the industries they serve continue this way?

Amoroso: "Patch," unfortunately, is a euphemism for "error," for "mistake." And when you think of it as, "Here's a patch, and all I need is this little piece of software and everything will be all right," I think that glosses over what it is that we're really talking about here. Until you've lived through a problem that's exploited through one of these errors, you just don't get it.

InformationWeek: What's at stake for users who don't commit themselves to patching software as quickly as possible?

Amoroso: If you don't patch within a day or so, there are umpteen exploits all over the Internet that can be grabbed and put in a worm or botnet, harness, and just aimed at [unpatched] computers. Once you're caught, you now have a bot running on your computer. AT&T Labs estimates that on any given day there is a minimum of 10 million bot-infected PCs actively targeting other systems for the purpose of infecting, sending [distributed denial-of-service] attacks, sending spam, etc. That strikes me as a cancer on the Internet.

InformationWeek: How do we break this cycle?

Amoroso: The only way we'll ever get to the point where the software that powers our infrastructure is fully secure ... is to treat software engineering as a legitimate discipline. We completely underestimated how difficult it is to write software correctly.

InformationWeek: Is there some innovative new security technology that can put IT departments on equal footing with those attacking their systems?

Amoroso: I encourage [vendors] to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up. You figure out why the building is crumbling. We don't need more innovation, we need more sanity to recognize that we've got vulnerabilities in our software, and systems that are so complicated that you have no clue how people get in. ...

InformationWeek: How do chief security officers best work with CIOs?

Amoroso: We're usually joined at the hip, with many common goals. If you have a good CIO, ... then that CIO is going to be extremely demanding and not put up with holes in infrastructure, not put up with obvious problems, gaps in services, and so on.

Amoroso: "Patch" is a euphemism for "mistake"