Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Are You Vulnerable?: Page 8 of 13

Vulnerability-assessment software, asset-tracking systems and patch-management tools are not just beneficial. They're necessary. But these are still tactical solutions to a very strategic problem: the staggering number of vulnerabilities in mainstream OSs, services and applications. The answer--as any hardened security professional will tell you--is in the hands of developers. The world needs better software engineering, or we'll never escape today's patch-and-pray model.

But better software engineering is not going to come overnight, and it's certainly not something the enterprise customer can control. So what can be done? Start making security a key factor in product purchasing and deployment decisions, and seek out products with better security track records. ICAT is a good place for the motivated consumer to start, but those who subscribe to SAC, Bugtraq or VulnWatch will also be able to identify common offenders.

Philosophical debates aside, products that have better vulnerability track records, and thus have required less patching, not only reduce an organization's day-to-day risk, they also reduce the TCO (total cost of ownership) via lower support costs. For example, consider choosing Apache over IIS, Postfix instead of Sendmail, Tinydns instead of Bind, and Opera instead of IE. Obviously, these are not isolated decisions; security and patching requirements are just one point among many criteria. But it's a factor that is growing in importance.

If consumers begin factoring security track records into their purchasing decisions, it will send a clear message to vendors: Those that design and implement more secure products will be rewarded, and those that don't will be penalized. Think of how much easier and cheaper it would be to operate a computing environment that didn't require patching.

What Lies Ahead