While companies may go to great lengths to ensure their IT environments are secure, technology vendors need to do more to make sure their hardware and software is up to scratch, according to security experts.
At a panel debate at Infosecurity Europe 2008 on Tuesday, security experts lined up to put some of the blame for hackers finding ways to exploit code on software makers. "Applications have become the new target for attacks," said Alan Paller of the SANS Institute, and referred to one Oracle user he claimed had suffered 80,000 attacks on its systems.
Rhonda MacClean, chief information security officer for Barclays, explained in detail how her company routinely tests the security of most of the software it buys in from suppliers.
"Using someone else's software does not abdicate you from responsibility for the security of the code," MacClean said, and added that the constant updates and service packs made life especially difficult for in-house IT people. "Just when you got used to the code, a new version comes along."
ZDNet UK blogs
AT&T: Dell to release smartphone
Dell is set to launch a smartphone, AT&T chief executive Ralph de la Vega has revealed at Mobile World Congress...
But despite the shortcomings of some software makers' code, IT departments are ulitmately responsible for the code they use within their organisations.
"We want code that as far as security is concerned is A+," MacClean said. "But when we tested code [at Barclays] we found a lot of it was C-."
According to MacClean, the problem is relatively easy to improve. "We talk to [the suppliers] about the problem and we have got much better code as a result," she said.
Talkback
Security begins with the software creator, and most large companies have the tools to test before it hits the shelves. OS makers should be at the forefront of security, and they should collaborate with third party writers to ensure security continues. I'm not sure you can make it completely bullet proof, but you can make it a lot harder to crack. Making IT responsible for security is a load of crap, if you are working with poorly written code.