Today we have a guest blogger – Eric Baize, Senior Director, Product Security Office, EMC. Eric discusses security assessment of products by IT buyers.

The software assurance community has been busy finding ways for IT buyers to effectively assess the security of the product they purchase. Steve Lipner from Microsoft wrote an excellent summary of the various attempts at evaluating software assurance. This discussion perfectly illustrates the parallel between software assurance and medicine; it represents a unique opportunity to look at what centuries of research in science and medicine can teach us a lot about risk management.

Take heart disease as an example. Science shows that high cholesterol and high blood pressure increase the risk of heart disease. Does this mean that anybody with low cholesterol and low blood pressure can claim that they will never suffer a heart attack? Not at all. In medicine, you never say “never”, you focus on prevention and you get ready for the worst. Heart disease prevention campaigns recommend lifestyle activities such as diet or exercise that maintain blood pressure and cholesterol low. Understanding a person’s lifestyle is the best way to predict this person’s risk of suffering a heart attack and having a defibrillator ensures that, should it happen, the heart attack can be contained efficiently.

Software assurance is no different. Vulnerabilities in software are like heart disease: neither a software developer, nor an IT vendor can claim with credibility that their product has no security defect. Understanding a software organization’s “lifestyle” i.e. the processes it has put in place to prevent and respond to software vulnerabilities may be the best predictor of the security of the product they build:

  • Does the organization developing the product have secure software development standards in place?
  • Do they have a team with authority that provides the necessary oversight?
  • Are developers properly trained to develop secure software?
  • Do they publicly share their software assurance practices on dedicated web pages?
  • Do they have an easy to find way to report vulnerabilities on their product?
  • Do they have a process in place to properly and expeditiously address reported vulnerabilities?

The answers to these questions can often tell you more about the long term security posture of a product than a successful point in time security testing or any vendor claim. Software vulnerabilities are like heart diseases: Never say “never”, focus on prevention and get ready to respond.