SAN JOSE, Calif. — Businesses could reduce their losses from data theft and intrusions if vendors would add dedicated security testing to their product development life cycle, says Mark Kadrich, CEO of San Jose-based Security Consortium Inc. (www.thesecurityconsortium.net), and author of “Endpoint Security” (ISBN 0-321-43695-4), to be released in June by Addison Wesley.
Buggy software is costing businesses and consumers billions in terms of clean up costs ($60 billion annually, according to a NIST study(*1), downtime (2.2 percent of enterprise revenues last year – about $30 million per enterprise, according to Infonetics), and privacy leaks (which cost businesses and consumers $49.3 billion in 2006, according Javelin Research).
Third party testing organizations like NIST’s Common Criteria are moving in the right direction. But they fail to get down to how the application will work when introduced into the variety of environments wherein these applications will interact. Testing frameworks and standards are beginning to emerge, like those presented in a well-defined Carnegie Mellon paper(*2) on built-in security. And the Open Web Application Security working group also has an end-to-end framework for testing, but it only applies to Web applications.
“But what we’re seeing is that nobody’s taking the time to build a practicable methodology and test how new security applications will really interact inside your enterprise environment and predict outcome,” says Kadrich.
The Consortium combines the product testing leadership and methodology of veteran testers with investigative field research to produce unbiased, realistic reports predicting how the product will interact within a client enterprise in support of its strategic goals, including how to work with the inadequacies of the product for maximum protection – and, in some cases, offer alternatives.
A recent network manager interviewed by Deb Radcliff, the Consortium’s VP of publishing and field research, could have saved $250,000 in up front costs and a year’s worth of trouble through a service like this. Her source, owner/operator of a managed services company for 250-range user organizations, could not go on record with the vendor name. But he does say it never lived up to its promise to integrate so he could upgrade his clients to manage their security devices.
“We never got our money back,” says the disgruntled corporate consumer of said product. “We lost $250,000 – and that’s not counting the missed revenues from not being able to upsell our managed security offering during that period.”
Having been on both the buying side and the selling side of this process, Kadrich says vendors need to create best practices around testing their products for vulnerabilities in its interactions with other network traffic before, during and after product development.
For now, though, it’s up to user organizations to make testing a larger priority than they already are by developing policies and processes and dedicating more human resources to thoroughly stress test new applications before allowing them to interact with the rest of the enterprise.
For more information visit http://www.thesecurityconsortium.net or contact:
Deva Loveland, of The Security Consortium, Inc., +1-408-971-0984.
(*1) Reference to NIST paper: http://www.nist.gov/director/prog-ofc/report02-3.pdf
(*2) Reference to Carnegie Mellon’s “Build security in” document: https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/requirements/532.html
[tags]Mark Kadrich, Security Consortium Inc, Endpoint Security book[/tags]
