BP hits out at security standards

Vendors are failing to provide secure applications and systems says BP's director of security, who believes open source and open standards are the answer

Energy giant BP criticised the security record of application vendors on Tuesday, which it said was pushing it towards open source software.

Software firms are not keen on cooperating on security, as it would mean making their systems interoperable, said Paul Dorey, BP's director of digital security.

"We need interoperability. I'm concerned about lack of competition, but I'm more concerned about interoperability. Open source has a role to play, as well as academia," said Dorey, speaking at the launch of the latest SANS Institute security research on Tuesday.

"At BP we are trying to go for open protocols. At some point in the future open source will become key." Dorey added.

Government officials also expressed unhappiness with vendors' security records, saying the network perimeter of government and business is not secure enough.

"We need fit for purpose architectures. One of the dirty secrets of security is that we rely on the network perimeter — but these dams leak," said Steven Marsh, the Cabinet Office's director of information assurance.

The government says it wants to promote Internet community action and mutual support to tackle security issues..

"We want to encourage Internet communities to set up systems whereby they communicate with each other within the community for mutual support," said Roger Cummings, director of National Infrastructure Security Co-ordination Centre (NISCC).

"The inexorable march of Internet technology will come to dominate all electronic communications. Network convergence will happen at a global and a local level, merging onto a single platform, and it will all be connected to the dirty outside world of the Internet," said Cummings.

Good procurement is the answer
Today, application security is inadequate because it "relies on the good will and good citizenship of technology vendors to ensure computers are secure," said Alan Paller, director of the SANS Institute, a training body for information security professionals.

"It's easy for vendors to ensure security when the software is being built. Microsoft and Apple should sell secure systems to begin with," according to Paller.

Paller called for governments and businesses to force vendors to supply more secure systems by simply refusing to buy them if they don't meet security requirements.

"US Air Force chief information officer John Gilligan said in 2003 that it costs the military more to clean up the mess left by Microsoft than buying the software to begin with. He put $500m on the table, and specified safe configurations on every system. By doing that he has lowered the patch testing costs by $100 million or more. The Air Force now requires all software it buys to be built to run on the safe configurations developed by Dell," said Paller.

"That's the message for business — make your systems more secure by procurement, not regulation. We've been buying stuff that's broken, but you don't have to spend the money that way," Paller added.

"I put this to Congress, and they spluttered and said 'I don't understand why we're not doing this already.' It's the first time I've seen Congress think they can actually do something useful," Paller said.

The government agreed that vendors needed to guarantee security, but added that security needed to be dealt with within a company's perimeter too.

"The security of a product needs to be out of the box. There also needs to be firefighting within a company in this increasing risk environment," said Cummings.

Company directors also need to recognise the importance of security, and make decisions concerning it.

"There needs to be recognition that information risks are important at board level. The board needs to be losing sleep if they're not confident in their information assurance," said Marsh.