Insecure Applications Cost Users Billions, says The Security Consortium

Author: The Security Consortium, Inc.
Dateline: Mon, 19 Mar 2007

freeNewsArticles Story Summary: “SAN JOSE, Calif. - Mar. 19 (SEND2PRESS NEWSWIRE) -- Businesses could reduce their losses from data theft and intrusions if vendors would add dedicated security testing to their product development life cycle, says Mark Kadrich, CEO of San Jose-based Security Consortium, and author of 'Endpoint Security' (ISBN 0-321-43695-4), to be released in June by Addison Wesley.”



A R T I C L E:

SAN JOSE, Calif. - Mar. 19 (SEND2PRESS NEWSWIRE) -- Businesses could reduce their losses from data theft and intrusions if vendors would add dedicated security testing to their product development life cycle, says Mark Kadrich, CEO of San Jose-based Security Consortium (www.thesecurityconsortium.net), and author of "Endpoint Security" (ISBN 0-321-43695-4), to be released in June by Addison Wesley.

Buggy software is costing businesses and consumers billions in terms of clean up costs ($60 billion annually, according to a NIST study(*1), downtime (2.2 percent of enterprise revenues last year - about $30 million per enterprise, according to Infonetics), and privacy leaks (which cost businesses and consumers $49.3 billion in 2006, according Javelin Research).

Third party testing organizations like NIST's Common Criteria are moving in the right direction. But they fail to get down to how the application will work when introduced into the variety of environments wherein these applications will interact. Testing frameworks and standards are beginning to emerge, like those presented in a well-defined Carnegie Mellon paper(*2) on built-in security. And the Open Web Application Security working group also has an end-to-end framework for testing, but it only applies to Web applications.

"But what we're seeing is that nobody's taking the time to build a practicable methodology and test how new security applications will really interact inside your enterprise environment and predict outcome," says Kadrich.

The Consortium combines the product testing leadership and methodology of veteran testers with investigative field research to produce unbiased, realistic reports predicting how the product will interact within a client enterprise in support of its strategic goals, including how to work with the inadequacies of the product for maximum protection - and, in some cases, offer alternatives.

A recent network manager interviewed by Deb Radcliff, the Consortium's VP of publishing and field research, could have saved $250,000 in up front costs and a year's worth of trouble through a service like this. Her source, owner/operator of a managed services company for 250-range user organizations, could not go on record with the vendor name. But he does say it never lived up to its promise to integrate so he could upgrade his clients to manage their security devices.

"We never got our money back," says the disgruntled corporate consumer of said product. "We lost $250,000 - and that's not counting the missed revenues from not being able to upsell our managed security offering during that period."

Having been on both the buying side and the selling side of this process, Kadrich says vendors need to create best practices around testing their products for vulnerabilities in its interactions with other network traffic before, during and after product development.

For now, though, it's up to user organizations to make testing a larger priority than they already are by developing policies and processes and dedicating more human resources to thoroughly stress test new applications before allowing them to interact with the rest of the enterprise.

For more information visit www.thesecurityconsortium.net or contact:
Deva Loveland, of The Security Consortium, Inc., +1-408-971-0984.


(*1) Reference to NIST paper: www.nist.gov/director/prog-ofc/report02-3.pdf

(*2) Reference to Carnegie Mellon's "Build security in" document: https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/requirements/532.html


Text provided by the news source.


###


Copyright © 2007 by The Security Consortium, Inc. and Send2Press® Newswire, a service of Neotrope® - all rights reserved. Information believed accurate but not guaranteed. Sourced on: freeNewsArticles.com.

Story Title: Insecure Applications Cost Users Billions, says The Security Consortium
• REFERENCE KEYWORDS/TERMS: The Security Consortium Inc, , , Endpoint Security, Computing, , , .

IMPORTANT NOTICE: some content which is considered "old" or "archival" may reference an event which has already occurred; some content possibly considered "advertorial" may also reference a promotion or time-limited/sensitive offering, and in all of these instances certain material may no longer be valid. For notably stale content, you should directly contact the company/person mentioned in the text (The Security Consortium, Inc.); this site cannot assist you with information about products/services mentioned in the news article, nor handle any complaints or other issues related to any person/company mentioned or promoted in the above text. Information believed accurate but not guaranteed as of original date of story [Mon, 19 Mar 2007 15:15:00 GMT].

USE THIS CONTENT FOR FREE: To use this content in your newspaper, broadcast outlet, news portal, blog/ezine or similar, free of cost, CLICK HERE to learn how.