Five ways that software vendors can boost security

Is your software vendor doing everything it can to secure its products? As Sun Microsystems learned this week, there is always room for improvement.

Sun changed the way it releases security updates to its destkop Java SE (Standard Edition) platform this week following pressure from customers and security experts like Marc Maiffret, chief technology officer with eEye Digital Security.

Maiffret had blasted Sun a few months ago for releasing Java fixes to developers ahead of regular users -- a practice that he said could give the bad guys a golden opportunity to reverse-engineer the developer code and uncover new ways of attacking Sun's 800 million Java SE users.

With Sun now pledging to release all of its Java SE updates at the same time, we asked Maiffret what suggestions he'd offer the software industry on improving security. Following are his top five tips:

1) Make it easy for the hackers to tell you what they know. According to Maiffret this is the number one way to improve your relationship with the security community and it's easily done: "Have the secure@ and security@ e-mail addresses listed under your contacts page or some sort of security landing page," he said.

2) Do what Sun did. Make sure that you fix the bugs in all of your products at the same time so you don't accidentally hand over security details in code that could be reverse engineered and then used to attack customers who haven't yet been given the fix.

3) Make sure there is a very straightforward way that the customer is notified of security fixes -- either via e-mail or through the product itself.

4) Separate security updates from feature updates. This is especially important for consumer products. "A lot of times you'll have a vendor trying to tell you, 'You want this new photobook album functionality?' and you'll say, 'no' without realizing that it actually contains critical security updates," Maiffret said.

5) List your upcoming security fixes as soon as you've identified a new issue. Yes it may make for some bad PR at first, but by notifying users as soon as a vulnerability has been verified, you document your ability to patch the problem "When you have that public timeline, it actually allows customers to see if someone's taking too long so they can put pressure to have it fixed more quickly," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?