|
The State of
Software Security: An Interview with ISS Founder
and CTO Chris Klaus
By Kirk L. Kroeker
www.TechNewsWorld.com,
Part of the ECT News Network
December 3, 2003
"Linux
exploits tend not to receive as much attention or
awareness compared to a Microsoft threat,"
Chris Klaus, CTO of Internet Security Systems, told
TechNewsWorld. "As we see more governments and
companies standardizing on Linux within their own
desktop and server infrastructure, Linux will become
a bigger target in the future."
Chris Klaus, the
founder and chief technology officer of Internet
Security Systems (Nasdaq: ISSX), was recently
appointed to cochair the National Common Criteria
Task Force. Klaus was selected as task force cochair
by the Business Software Alliance, the Information
Technology Association of America, Microsoft's
TechNet branch, the U.S. Chamber of Commerce and Tom
Ridge, the secretary of the Department of Homeland
Security.
Bringing together
experts from the government, the commercial sector
and academia, the task force is bent on examining
ways to improve "common criteria," a set
of standards developed by a coalition of nations to
help ensure that software products purchased and
deployed by government agencies are secure.
Klaus recently
expressed his views on the subject of common
criteria during testimony before the House
Government Reform Subcommittee on Technology. Also,
as the inventor of the first commercial
vulnerability-assessment and intrusion-detection
products, Klaus will work on the task force to share
his industry experience, helping to create a more
effective software security certification process.
Klaus founded ISS
in 1994, and since then the company has become an
established world leader in security. ISS products
and services are based on the security intelligence
work conducted by the ISS X-Force research and
development team -- a recognized authority in
vulnerability and threat research. To hear this
insider's perspective on where software security is
headed, TechNewsWorld turned to Klaus for an
exclusive interview.
TechNewsWorld:
Please tell us a little about what you do at ISS.
Chris Klaus: As chief technology officer of
ISS, I collaborate with customers, security experts,
engineering and product management to define and
evolve ISS' vision and road map to continue to lead
the security market with innovative products and
services designed to fulfill customer needs.
TNW: As you
cochair this new task force, what are the challenges
you're anticipating?
Klaus: In
creating this task force, we are breaking new ground
and bringing together new teams and expertise to
better understand the current security issues we
face as a nation. The challenge is to get the right
committed parties to come to the table and work
through these issues. I believe that once we truly
understand the issues at hand, the security problems
can be resolved by cooperation between customers,
vendors and government parties.
TNW: Is the
term "common criteria" just another way to
say "standards"?
Klaus:
Common criteria sets a standard for security
certifications
TNW: While
there are many different software development
models, you're talking about the end product rather
than the development process, right?
Klaus: The
current certification process attempts to address
both the functional components of the end product
and the assurance components that can demonstrate
that the product development process incorporated
security measures.
TNW: What do
you think of the current state of software security?
Klaus: The
current state of software security could
dramatically be improved. Most software, and
technology, is developed and deployed without any
consideration for security. This is changing as more
companies are seeing computer security as a business
risk and integrating it into their priorities for
products and services deployed.
Today, software
engineers are not required to understand and assess
security risks in their products' architecture and
design. Security has not been a part of the quality
assurance process. To get a degree in architecture
for designing and constructing buildings, a
professional would be required to understand
physical risks and how to reduce those risks -- that
is, fire safety, earthquake issues and so forth.
As cyber risks are
increasingly being recognized as a major issue for
professional software engineers to identify and
correct, this level of importance needs to be
included in the college curriculum. Our future
software engineers should be required to understand
cyber-risk issues and how to correct them if we are
going to make progress on software security. This
way of thinking will help improve software security
proactively rather than releasing a product and
waiting until security researchers discover inherent
vulnerabilities.
TNW: Do you
think the situation will ever dramatically improve?
Klaus: Yes.
Companies have only recently begun to purchase
security products. However, as businesses increase
their security spending, solutions will arise to
meet demand. With the U.S. government becoming
involved in cyber security, the information security
industry will continue to innovate and introduce new
ways to reduce cyber-risk while strengthening
defense and protection mechanisms.
TNW: On a
technical level, what differentiates ISS' strategies
from your competitors?
Klaus: There
are many major differences between Internet Security
Systems and other companies selling security
technologies. Security is all we do. Our entire
organization is focused on being the best security
company in the world that provides not just the best
security technology, but managed protection services
and consulting services as well. ISS is a trusted
security advisor to global enterprises and world
governments, providing products and services that
protect against Internet threats. We partner with
companies to perform security assessments, build a
security road map and business justification, then
deploy the security solutions. The customer then has
the choice whether to have ISS manage the technology
or to manage security internally, in which case ISS
will educate the customer on proper procedures and
maintenance.
TNW: Your
X-Force team has achieved a great deal of fame,
particularly in light of recent virus outbreaks.
What's your strategy?
Klaus: ISS'
security research team, the X-Force, is the world's
leading security experts on vulnerabilities and
threats. ISS spends about 18 percent of revenue on
research and development to provide dynamic
security. A typical security company spends
approximately 10 to 11 percent to focus on threats
(that is, exploits, viruses and worms) without
understanding security vulnerabilities. Because of
our regular research into vulnerabilities, we are
able to provide our customers protection using a
concept called "Virtual Patch" that
enables the protected system to guard immediately
against attack or misuse once a vulnerability has
been discovered, often long before a patch or hotfix
is available or can be applied. With Virtual Patch,
companies can be protected against a threat before
it even becomes public, while most other security
companies wait until the exploit or worm has already
caused damage in the wild. With new viruses and
worms propagating around the globe in 15 minutes,
the older model of security companies reacting to
every new threat is severely flawed.
TNW: Your
all-in-one intrusion-detection boxes have been well
received in the industry so far. Can you tell us a
little about how these boxes stay ahead of the game?
Klaus: ISS
is the first company to produce an all-in-one
protection appliance with a unified protection agent
that analyzes all traffic simultaneously to apply
firewall, antivirus, and intrusion prevention rules
in a unified analysis process. Other security
companies that have introduced -- or plan to
introduce -- an all-in-one box have combined various
stand-alone hardware blades or stand-alone security
applications with multiple engines onto one system
that all must be configured, managed and updated
separately. ISS' Proventia M Series appliances
converge firewall, VPN, antivirus, IDS/IPS
capabilities into one unified agent that needs to be
configured, managed and updated only one time as one
agent. In the future, Proventia will add application
protection, content filtering and antispam
functionality to the unified engine to extend
protection across servers, desktops and laptops.
TNW: In an age
where security specialists are in high demand, what
do you think about the outsourcing-security
strategy?
Klaus: ISS
also differentiates itself as a security vendor by
providing managed protection services for companies
that want to outsource and extend their security
team to provide 24-7 security monitoring and
management at a much lower cost than managing
security internally. In providing managed protection
services, ISS allows customers the option of having
ISS immediately respond to and block threats before
they damage a customer's system without alerting the
customer and awaiting their response or approval to
take action. The basis of this relationship is built
on service-level agreements in which ISS promises to
perform to a certain level agreed upon by the
customer -- or they receive a credit to their
contract.
TNW:
Technically speaking, do you believe Linux is more
secure than Microsoft software? Or is Linux simply
less targeted by malware writers?
Klaus: Both
Linux and Microsoft have had many serious security
vulnerabilities. Because of Microsoft's market
share, and the vast difference in the number of
computers on the Internet running Microsoft
operating systems compared to Linux, Microsoft
remains a much larger target for hackers and virus
or worm writers. There are Linux worms existing on
the Internet, but the number of Linux machines that
can be infected is minuscule compared to the serious
ramifications when a Microsoft virus or worm is
released. Therefore, the Linux exploits tend not to
receive as much attention or awareness compared to a
Microsoft threat. As we see more governments and
companies standardizing on Linux within their own
desktop and server infrastructure, Linux will
become a bigger target in the future.
TNW: Anything
else you'd like to add?
Klaus: As a
member of the Technical Standards and Common
Criteria task force, I have high hopes that we can
raise the bar for security standards that will
improve the overall protection of the government.
Increasing the amount of security protection in
commonly available products will help to improve the
security of the general business and consumer public
as well.
|
