Don't pay for insecure software, says SANS

The research director for SANS has attacked vendors for selling insecure software. But vendors insist they are doing as much as they can

Security organisation SANS has slammed the vendor community for failing to provide secure products.

While answering panel questions at the SANS Institute's Top 20 Vulnerabilities conference at the Department of Trade and Industry's offices in London on Friday, director of research for the organisation Alan Paller lashed out at vendors for leaving users to solve patching issues.

"This is not your problem," said Paller, addressing the audience of IT security managers. "You did not cause this. This is the vendors' problem. They get you into this state." Paller called for vendors to do more on testing before they sell their products. He said that IT professionals should hold onto their money until vendors have proved that the product works. "The way you fix it is that you still have the pound your hand," he said. "Make everyone who sells you something run a full security scan and give results before they sell a product, then that makes it their problem."

Oracle also came under fire in Paller's attack: "Oracle is famous for giving out patches that undo all your fixes," he said.

But Oracle hit back at Paller's claims, referring to Microsoft and IBM's security practice.

In an email statement, the company said: "Oracle, of any major software vendor, offers the most widely tested software with several international security evaluations (17 for database, 19 overall) compared to one evaluation for Microsoft's database and none for IBM. When software security flaws are discovered, Oracle responds as quickly as possible with patches and workarounds in order to help protect information secured by customers in Oracle-based information systems."

At the beginning of the conference, Paller referred to Microsoft having won a SANS award last year for its auto-updates service. Chief security advisor for Microsoft UK Stuart Okin said that vendors are already doing as much as they can.

"I think overall that vendors do as much possible," said Okin. "Microsoft being one of the biggest companies absolutely needs to stake the lead in this. SANS awarding Microsoft is an example of how we are trying to teach our developers. And I absolutely agree that vendors need to do this."