Accounting for Security

There is a smarter, more cost-effective approach to security than the prevalent method of developing and implementing patches once problems are discovered. But to achieve this, companies have to start by demanding better products.

Organizations should investigate the security practices of software vendors rather than accept that countless problems with an operating system or software application are inevitable. Users must demand stronger, more reliable products; their businesses depend on it.

Time and money that will otherwise be dedicated to fixing faulty products should be invested in this research before making the next purchasing decision. For example, the cost to deploy a patch for a recognized software flaw runs on average $900 per server and $700 per client. If an enterprise misses a patch and gets hit by a virus, the costs magnify.

Enterprises can make better decisions about security products and reduce the potential back-end costs by researching a few key vendor practices: examining the vendor’s corporate culture; specifically, the development process security and insisting on a response plan for times when vulnerabilities are found; and demanding third-party assessments.

Vendors must demonstrate that security is a priority at each step of the product development and delivery process. Training in secure coding practice, and compensation tied to secure coding objectives are two such indicators. Vendors with a chief security officer and a team that analyzes product development for weaknesses, or hacks its own products, is also more likely to focus seriously on security.

The vendor should also run its own enterprise on its software; if a company doesn’t trust its own products to secure secrets, why should you?


Additionally, third-party validation is a critical step in purchasing secure products. Some software and OS vendors submit products for rigorous security evaluations conducted by independent authorities. These evaluations are recognized globally by various governing bodies. An evaluated product provides organizations with a level of assurance about the product’s features and security claims. Often times, evaluators find weaknesses in the product that are corrected before the evaluation is completed.

These evaluations are not without a price. However, reputable vendors know that paying for an evaluation is cheaper than fixing a product already in use. Red Hat Enterprise Linux , for example, recently completed a Common Criteria (ISO 15408) evaluation at EAL2. As a result, security-conscious customers can be assured of using a secure OS to run their enterprise applications.