Security - vendors must take some responsibility

While companies may go to great lengths to ensure their IT environments are secure, technology vendors need to do more to make sure their hardware and software is up to scratch, according to security experts.

At a panel debate at Infosecurity Europe 2008, security experts lined up to put some of the blame for hackers finding ways to exploit code on software makers. Alan Paller of the SANS Institute said: "Applications have become the new target for attacks," and referred to one Oracle user he claimed had suffered 80,000 attacks on its systems.

Security A to Z

From antivirus to zero-day, click here for silicon.com's alphabetical guide to security.

Rhonda MacClean, chief information security officer for Barclays, explained in detail how her company routinely tests the security of most of the software it buys in from suppliers.

MacClean said: "Using someone else's software does not abdicate you from responsibility for the security of the code." She added that the constant updates and service packs made life especially difficult for in-house IT people. "Just when you got used to the code, a new version comes along."

But despite the shortcomings of some software makers' code, IT departments are ultimately responsible for the code they use within their organisations.

MacClean said: "We want code that, as far as security is concerned, is A+. But when we tested code [at Barclays] we found a lot of it was C-."

According to MacClean, the problem is relatively easy to improve. She said: "We talk to [the suppliers] about the problem and we have got much better code as a result."

Original article: Vendors urged to take responsibility for security from ZDNet UK