Hi, I'm Roger Thornton, CTO of Fortify Software. The subjecttoday is information security, more specifically, the security dilemma, one,two, three.
One, if we were to take a look at information security todayand give it a grade, what grade do you think it would get? Well, let's take alook at some facts. Today, businesses are spending more money than they everhave on securing information systems, protecting them from worms, viruses,malicious insiders and hackers. Literally billions of dollars are being spenton this and the desired effect is for the exploits that rob private data andharm systems to go down. But I probably don't have to tell you that thoseexploits are rising and are, in fact, at an all time high. Our hacker math isall wrong.
Two, why is that? Well, what do the experts have to say?According to the national institute of standards and technology, 92% of all thevulnerabilities that they tracked in 2003 were actually at the applicationlevel, operating systems and business applications, not at the network.According to the Gartner group, last year 70% of all the information systemvulnerabilities and large corporations were again at the application softwarelevel, not at the network. It has something to do with the way that we thinkabout security. Traditionally, we think about protecting the thing that'simportant to us. In this case, it's the software that holds our business dataand automates business processes, and we put it behind walls so that the badguys can't get at it. Well, about 10 years ago, what we figured out, if we tookcomputer programs and we poked through those walls and made those programs talkto other programs, we got things like the World Wide Web, e-mail, instantmessenger. Well when business got a hold of this technology, they did all sortsof things like integrating, manufacturing systems, moving inventory partinformation between companies, automating financial systems, moving financialinformation between companies, automating healthcare systems, moving healthcare information in real time, synchronized transactions between businesses.What does this do to our security profile? Well, what it does is, it makesthese walls less effective or maybe even absolutely ineffective at protectingthe software.
This is at the heart of what's causing us the problem withour hacker math, if we're able to make the software itself fundamentallysecure, then the fact that it's poking through our walls fireware, firewalls,intrusion detection systems, and so forth, we will get a handle on our hackermath and a number of exploits will go down. So I would say, we don't have asecurity dilemma, today we have a software dilemma.
