Vendors urged to take responsibility for security

When it comes to the security of hardware and software, suppliers should be put on the spot, argue experts at Infosecurity Europe 2008

While companies may go to great lengths to ensure their IT environments are secure, technology vendors need to do more to make sure their hardware and software is up to scratch, according to security experts.

At a panel debate at Infosecurity Europe 2008 on Tuesday, security experts lined up to put some of the blame for hackers finding ways to exploit code on software makers. "Applications have become the new target for attacks," said Alan Paller of the SANS Institute, and referred to one Oracle user he claimed had suffered 80,000 attacks on its systems.

Rhonda MacClean, chief information security officer for Barclays, explained in detail how her company routinely tests the security of most of the software it buys in from suppliers.

"Using someone else's software does not abdicate you from responsibility for the security of the code," MacClean said, and added that the constant updates and service packs made life especially difficult for in-house IT people. "Just when you got used to the code, a new version comes along."

But despite the shortcomings of some software makers' code, IT departments are ulitmately responsible for the code they use within their organisations.

"We want code that as far as security is concerned is A+," MacClean said. "But when we tested code [at Barclays] we found a lot of it was C-."

According to MacClean, the problem is relatively easy to improve. "We talk to [the suppliers] about the problem and we have got much better code as a result," she said.