Security: It's all in the software
Published: 18 Apr 2008 16:23 BST
…security and that chief security officers' time should be spent on engineering, not network security.
Typically, most big organisations have security auditors that ensure software has had a minimum amount of testing before it's deployed. So, if we could get them on board to ensure that testing took place from the outset, it would happen. But, at the end of the day, this has to be driven from the top down. The people at the top have to realise that this is an important thing to do and look at how they're going to start protecting themselves better.
Until information-security considerations are built into software from the ground up, what else can organisations do to safeguard their systems and data more effectively?
The second thing that's very important is, in the past, we focused on looking for code that was bad. But the problem with that approach is that you only know if something is bad after it's been bad. So dealing with zero-day attacks can't happen with this methodology because they haven't already been proven to be bad.
So I say we should invert the problem. We know what's good, so [we should] only allow code to run that's good. If we only allow good things to run, bad things can't execute and can't do bad things. If we're able to do that, we won't even care whether a Trojan or worm is flying around because they can't do anything.
Whenever people hear about data being lost or that something bad has happened with a company they trusted... it shakes their confidence and that's a major inhibitor to adoption of the internet
Ted Schlein, Kleiner Perkins Caufield & Byers
So the key to it is: can you validate what's good and enforce that so only those things can execute and run? And that's why I invested in a company called Bit9. It has a database of hash files, which are essentially fingerprints of files that can verify which code is legal or not.
It has over six billion files registered in its global software registry and there are about 20 million applications that are allowed to execute. This encompasses nearly everything that you'd ever run, but the software checks the code is legitimate and locks down client machines. When anyone develops any software, they generate a hash file so Bit9 validates if something is legal. The company is just getting started and has about 40 to 50 customers, but only allowing what is good is brand new and it's threatening to the establishment.
What new threats do you expect to appear over the next few years?
One of my big worries is consumer confidence. Whenever people hear about data being lost or that something bad has happened with a company they trusted at one point, it shakes their confidence and that's a major inhibitor to adoption of the internet.
It's a macro trend and that means we have to do things to ensure that consumers are confident. As a result, I've invested in another company, LifeLock, which is all about identity-theft protection. It allows you to put fraud alerts at credit bureaux so, if someone steals your identity and tries to use it, they'll be prevented from doing so, which means that they can't do anything bad with it. It's a great service, which gives consumers peace of mind, and that's very important.
Previous
- The top five internal security threats
- Keeping mobile data from going walkabout
- Lib Dems call for data guardians
- Worker suspended over loss of prisoner data
- Ministry of Justice reports nine data breaches
- Foreign Office reports five data breaches since 2007
- ICO: Gov't ignoring data-sharing hazards
- Lords presses government for data-breach law
- Experts urge criminal charges for data breaches
- Justice minister urges overhaul of gov't data handling
- MoD announces data-protection action plan
- Systemic failure blamed for HMRC data loss
Did you find this article useful?
6 out of 7 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
