- +
Ticked Off at Tick the Box Mentality 04 February, 2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
Your World. . . Hacked 02 October, 2007 10:51:23
As your business becomes more collaborative and global, the risks to your company’s trade secrets rise proportionally. Fortunately, there are new strategies to protect the data that allows you to competeThe call to Bob Bailey, an IT executive with a major US government contractor, came on an otherwise ordinary day in October 2003. "Why are you attacking us?" demanded the caller, an IT leader with a Silicon Valley manufacturer. He wanted to know why Bailey's company had launched a denial-of-service attack against his network
- +
Clean up your SOAP-based Web services 27 November, 2007 13:16:14
The Test Center inspects five worthy tools for keeping your services squeaky cleanSOAP is the currency of the SOA marketplace -- for now, anyway. Though SOAP's significance may diminish as Web services evolve, its importance for the time being is unquestionable. Therefore, a substantial portion of the QA work by Web service providers and consumers must entail verifying the accurate exchange of SOAP messages. Not surprisingly, several SOAP-focused Web service testing tools have appeared.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. The IP Storage payoff: Turning your investment into efficient, affordable results
Radicati Market Quadrant 2008 on Corporate Web Security
How to Beef Up Your Sales Pipeline
Why Security SaaS Makes Sense Today
Understanding Email Marketing: A Guide for SMBs
Choices in Storage Architecture for Oracle Environments
Wireless LANs: Is my enterprise at risk?
Enterprise Wireless WLAN Security
Newsletter Subscription
Open source software is a significant security risk for corporations that use it because in many cases, the open source community fails to adhere to minimal security best practices, according a study released Monday.
The study, carried out by Fortify Software with help from consultant Larry Suto, evaluated 11 open source software packages and each community's response to security issues over the course of about three months. The goal was to find out if the community for each open source software package was responsive to security questions or vulnerability findings, published security guidelines and maintained a secure development process, for example.
Open source application server Tomcat scored the best in the study, titled "Open Source Study -- How Are Open Source Development Communities Embracing Security Best Practices?"
The remaining 10 open source application, tool and database packages -- Derby, Geronimo, Hibernate, Hipergate, JBoss, Jonas, OFBiz, OpenCMS, Resin and Struts -- had a dismal showing. Among these 10 packages, application server JBoss scored higher by providing a prominent link to security information on its Web site and easy access to security experts, but came up short for not having a specific e-mail alias for submission of security vulnerabilities.
"You don't want to report bugs to a general mailing list because it would go to the general public," says Jacob West, manager of Fortify's security research group. There needs to be a measure of confidentiality in reporting bugs so that the fix for them can be provided when the public is notified, so attackers don't get early information they can exploit.
But too often the open source communities that offer their software for free don't appear to be as mindful about security practices as their commercial counterparts, which charge for software and support, West says.
Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 open source software packages examined.
But when Fortify tried to reach out to the open-source software communities, with the primary point of contact a Web site and a general e-mail address, the security firm found that "in two-thirds of these cases, you didn't get a response at all," West says. "There are no phone numbers. Who do you go to ask for information? It's kind of hard to tell who these people are."
The report itself notes, "Open source packages often claim enterprise-class capabilities but are not adopting -- or even considering -- industry best practices. Only a few open source development teams are moving in the right direction."
West says Fortify did not conduct this study in order to condemn open source software, but rather to point out that the security practices need to improve because open source adoption by enterprises and governments is growing.
Howard Schmidt, former White House cybersecurity czar who's now a consultant, and also a board member at Fortify, says the study shows that when it comes to business adoption of open source software, "You've got to go into this with your eyes wide open."
The reality is that while open source software may appear more cost-effective and just as functional as commercial software in some instances, the question of maintenance must be examined very carefully.
"Who do you reach out to?" Schmidt asks. "What about the thousands of companies out there running Geronimo? And what about your supply-chain partners?"
The bottom line is that corporations may find they have to undertake remediation of open source packages on their own. "You are effectively on your own, absent your having an arrangement ahead of time," Schmidt says.
Government agencies and corporations need to decide if they're going to try to mitigate problems with open source software themselves, through risk assessment and code review, and whether they plan to give that information back to the open source community.
This is a fundamental question about the life-cycle development of the software, West says, adding that the study indicated to Fortify that the open source communities in these cases tended not to correct for identified flaws in software versions over a period of time.
2008 CIO Summit
19th August, 2008 Four Seasons Hotel, Sydney Developed in partnership with CIO Magazine, IDC, INTEP and the CIO Executive Council.
The world of the CIO is extremely complex and diverse. Multiple priorities demand attention and decisions are needed instantly. Individual teams need to be driven towards common goals, and businesses strive to become more mobile, agile and responsive. For CIOs, the challenge never ends.
Every year the CIO Summit identifies what is top of mind for CIOs across Australia and New Zealand, and offers insight for CIO benchmarking and vendor strategic planning alike.
Recent IDC research shows that over 59% of CIO's believe that 'to achieve their business strategies, technology should be used more aggressively than today.'
Join us on August 19th to discover how this is possible with the latest technologies including Virtualisation, Web 2.0, IP Surveillance and Software as a Service (Saas).
Click here for more information.
Please email Denyse_Robertson@idg.com.au for further information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Information security governance: Centralized vs. distributed 05 September, 2008 10:15:00
Should security policies, procedures and processes be managed within a central body, or distributed at an individual level? You need to find the middle ground.The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground? - +
DNS error brings Sophos antivirus updates to a halt 05 September, 2008 13:40:00
Optus, Internode and Equinix affected among others.A sporadic Domain Name Server (DNS) error has blocked Sophos anti-virus updates around the world. - +
Ouch! Security pros' worst mistakes 04 September, 2008 08:05:00
We've all done regrettable things on the job, but does any valuable wisdom come of it? Four security pros candidly explain their biggest blunders and what they learned in the processIt was a mistake so bad the person who made it asked that his name and company not be mentioned here. Let's call him Frank. - +
Security ROI: Fact or Fiction? 03 September, 2008 08:32:00
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable. - +
Information Security and the Importance of Context 01 September, 2008 10:00:00
Those entrusted with information security must raise their contextual awarenessWhen the US Transportation Security Administration (TSA) was first created, it created a sudden need for tens of thousands of screeners. Getting a job as an airport screener was a pretty easy process. It seemed as though if you had a pulse, you were in. Jump forward to 2008 and becoming a screener is a bit harder as the TSA has instituted background checks, has upped the educational requirement to include a high school diploma or GED, and added other significant requirements.
Viva la Verticals! Key to Vendor Growth is Through Vertical Market Opportunities, Says IDC 05 September, 2008 11:05:00
F-Secure delivers fastest protection in the online world 04 September, 2008 16:50:00
Rogue security apps dominate Fortinet's Aug 2008 IT threat report 04 September, 2008 16:00:00
IntraPower Signs Deal with Australia’s Largest Service Station and Convenience Store Network 04 September, 2008 10:07:00
TANDBERG Begins Desktop Videoconferencing Roll-Out at New England Credit Union 03 September, 2008 16:01:00
|
||
|
||
|
|
||
|
Web Security SaaS: The Next Generation of Web Security
Discover the latest web security SaaS solutions. Learn how to increase overall security effectiveness and reduce the burden on your IT department. Uncover the security challenges facing SMB environments today and identify the critical elements that can provide you with lower-cost and easier-to-manage web security solutions.
Subscribe to CIO
