subscribe: Daily Newsletter

 

Software the vulnerability culprit

0 comments

Securing a business's IT infrastructure – and so protecting the data that resides within it – requires daily vigilance.

However, few businesses have the IT resources needed to secure the network, and with most focus on managing day-to-day operations, security tends to feature near the very end of a list of their "more pressing" priorities.
It's usually only when something goes wrong that security is dragged into the spotlight, identified vulnerabilities are patched up, a few new security products are bought and installed; and the security policy – if there is one – updated.
"Thereafter security is ignored once again until the next identified  attack," says David Jacobson, technical director at Johannesburg-based Synaq, a company focused on delivering managed Linux services in the mail security and network monitoring arenas.
"One problem is that the initial scramble to fix the identified problem may not include the identification of all vulnerabilities. In addition, some of the products installed to 'fix' the problem could well end up making the entire IT environment even more insecure."
According to Jacobson, the key to IT security is secure software – software that is written with not only features, but also security, in mind. However, he says, software is seldom developed with an eye on back-end security requirements.  Developers are usually under pressure to deliver on required features within tight deadlines which leave little time to check for vulnerabilities each step of the way. The result is that most software is inherently vulnerable.
"It's therefore unfortunate that many people – business executives as well as so-called security experts – believe that the implementation of one or two security products can address security issues. There cannot be a 'one size fits all' approach to security as each environment is different, with its own set of vulnerabilities and some security products themselves contain flaws which increase a network's vulnerability rather than reduce it," he adds.
"Indeed, if businesses are serious about security, they need to understand that the only way to truly check that they are secure is to view the code. That's one of the reasons I believe Open Source software is the better option for companies where security is of the utmost concern.  It's not that Open Source is more secure, but rather the fact that you can view the code, see any vulnerabilities yourself and even fix if necessary if you have the skills to do so."
In addition, Jacobson recommends that prior to implementing any application, including a security product, users – or their security advisors – should check the 'pedigree' of the product.
This would include determining whether any vulnerabilities or flaws had been detected in the product; and how well or quickly the vendor had responded to these reports. Most of this information is to be found on websites like www.securityfocus.com, a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the global IT security community.
"The SecurityFocus Vulnerability Database, for example, delivers an invaluable service by providing security professionals with the most up-to-date information on vulnerabilities for all platforms and services. Another SecurityFocus service is BugTraq, a high volume, full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq is, without doubt, the cornerstone of the Internet-wide security community," he adds.
By keeping abreast of daily developments in the security arena globally, security professionals can help ensure their clients remain protected.
"Security threats change from day to day. And dealing with these threats involves a lot more than installing a firewall or anti-virus software. It demands a holistic understanding of every aspect of the environment that is to be protected, and the ongoing updating and re-evaluation of the security measures to ensure vulnerabilities are identified and rectified before an attack occurs.
"It's a full-time job and deserves as much attention as every other aspect of IT support and maintenance," Jacobson concludes.