- 10 open source companies to watch
- Mythbuster busts his own tale
- $208 million petascale computer gets green light
- Sony recalls 73,000 Vaio laptops
- Chrome and Firefox and add-ons
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable."
"I think my response was 'What idiot dreamed this up?," Davidson said Thursday at the W3C conference in Edinburgh, Scotland.
If civil engineers built bridges in the same fashion in which software developers write code, people would face the "blue bridge of death" every morning going to work, Davidson said. Software developers, she noted, tend to laugh nervously when they hear the analogy -- an insider reference to what programmers call the blank, "blue screen of death" on a PC display when Windows fails.
But Davidson, who commands a security unit responsible for database applications used by multinational companies and governments, said developers often have a blind eye for security. Hackers are proving ever more capable of taking advantage of poorly written software, and it's naive for developers to think those holes won't be exploited, she said.
"The mentality needs to change," she said.
The financial cost of faulty code in software is staggering. The National Institute of Standards and Technology, a U.S. government agency, estimates computer security problems cost between $22.2 billion to $59.5 billion per year, Davidson said.
The problem of insecure software starts with how software developers are taught at universities and goes straight through to systemic vendor attitudes, Davidson said.
Software coders at Oracle often need remedial coding education after they are hired since they don't consider how "evil" input could affect their products such as databases, Davidson said. Universities are not teaching secure coding practices and are reluctant to change their curriculum, she said.
Vendors are pressured to move products into the market as quickly as possible, and often lack the tools to build better ones, Davidson said. As a result, software development is reaching a "tipping point" where poor security is a board-level issue.
The result of bad code means spiraling patching costs for both clients and companies such as Oracle. Davidson said the record for fixing one defect was 78 patches, which cost the company around $1 million.
Rss FeedRss Feed
Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses...
Vulnerability Management For DummiesDownload this concise book "Vulnerability Management for Dummies," to learn about the simple steps...
The ROI and TCO Benefits of Data Deduplication for Data Protection in the EnterpriseThis paper examines and quantifies the costs and benefits of backup with deduplication storage as...
Life on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
We have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment