New Threats Ahead

While progress has been made in the fight to secure applications and networks from attacks, don't expect threats to evaporate any time soon. Despite large software vendors' efforts to strengthen their software code and new technologies that lock down networks and applications, attackers will find new ways to exploit the Internet and business-technology systems. Web services and ubiquitous wireless access will continue to add new security threats.

"Businesses battened down their network years ago and hackers moved up to applications," says John Pescatore, a security analyst with research firm Gartner. "As certain areas of security improve and technology grows, hackers will move to new weaknesses."

To confront the threats more effectively, antivirus and firewall software will become more commonplace for smart devices, as will Web-services firewalls. And security enhancements increasingly will be built into core network infrastructure and hardware. In Cisco Systems' routers and Microsoft's Windows operating system, for instance, built-in intelligence will let businesses limit access from systems, including notebooks and PDAs, that fail to meet security requirements, such as whether antivirus software and patch levels are up to date. Embedded-chip maker Phoenix Technologies Ltd. has built device authentication with public key infrastructure and secure crypto-key storage into its hardware so companies can identify trusted systems before they're allowed to log on to their networks.

Yet systems are only as secure as the applications that run on them. "The large [software vendors] got caught with their pants down, and they're now putting more money into their development processes," says Lloyd Hession, chief security officer at Radianz, a provider of financial-services networks.

Software vendors increasingly are training developers to create more-secure applications, and some have instituted "ethical hacking" teams that attempt to break into software applications to find flaws before the real hackers do. "My worst fear is someone is going to whack our customers, and I do everything to avoid that," says Mary Ann Davidson, chief security officer at Oracle. Software quality "is a systemic industry problem," she says. "I've spoken with very bright developers who look confounded when you explain what a buffer overflow is." Oracle conducts secure coding training and has 100 pages of formal design specifications its developers use to engineer reliability and safety into applications.

IBM Tivoli continuously improves software development by conducting design-code reviews, and it has stepped up the number of applications it runs through the Common Criteria certification process, an international security evaluation standard, says Bob Blakley, chief scientist of security and privacy. "Vendor software is generally more stable today than it was five and 10 years ago," Blakley says. "If there's a perception out there that software is more fragile, that's because it's subject to more hostile attacks today than in the past. It's fair to say that software quality is improving but that the threat environment is worsening." And that's one trend business-technologists can expect will continue for some time to come.

Continue to the sidebar: The Threats To Come