News

Software deployment should include security plan

• By Michael Alexander
• September 22, 2004

The need for enterprise security processes and procedures has become so pervasive that companies that do not include security as a component of their software deployments risk seeing their downtime rise from 5% in 2004 to 15% in 2008. This from market researcher Gartner in one of its latest reports, 'Building a Sound Security Infrastructure: New Defenses for a New World of Threats.'

'Increasing Internet activity, along with the use of Web services, wireless connections and other new technologies, will lead to more vulnerable configurations,' says John Pescatore, vice president and research fellow at Gartner. 'These vulnerabilities will cause increased downtime for organizations that don't push security concerns into their processes for software development and procurement.'

Gartner offers the following advice to organizations that seek to avoid the escalation of major system problems caused by software vulnerabilities:

• Pressure vendors to build more secure software. 
• Drive their development organizations to reduce security vulnerabilities in their own software. 
• Base software architectures on security standards. 
• Incorporate mechanisms to limit the attack surface of applications directly exposed to the Internet.

Gartner defines 'vulnerability' as a weakness in process, administration or technology that can be exploited to compromise IT security. Vulnerabilities can exist in any layer of the application stack, caused by weaknesses in just about every IT administration, process or design function.

'Basic changes to the operating systems and hardware platforms used by servers and PCs will make dramatic leaps forward possible in some areas of software security,' Pescatore says. 'However, through 2008, IT leaders will need to implement stop-gap approaches to deal with new vulnerabilities associated with unsafe customer, employee and business partner platforms.'

Meanwhile, in another security-related report, the Yankee Group says vendors of software distribution tools have a wide-open opportunity to provide patch and configuration management tools.

In its 'Need to Free Critical IT Resources Propels Patch Management' report, the market research firm says traditional software maintenance solutions are better suited to software installation than patches and upgrades. Software distribution tools provide features such as new code version identification and aid testing, installation and rollback.

The need for tighter control over desktops and servers creates opportunities for audit and compliance vendors such as BindView, and configuration and network management players such as LANDesk, AlterPoint, Altiris and Goldwire. Look for antivirus vendors to get into this market as well, the Yankee Group concludes.