Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
SYS-CON.TV
Patch as Patch Can: All Software Is Flawed
A meticulous patching program is necessary to prevent server and client-side exploits

Many IT departments have weak patching processes - especially on the client-side. And it's no wonder - patching is tough. Across all industries and platforms, the Window of Exploit (WOE) - that is, the time lag between announced discovery and the availability of a patch - for web-based vulnerabilities is a whopping 233 days, according to WhiteHat Security. This leaves your organization exposed for an unacceptably long period of time.

It may not be glamorous, but a meticulous patching program is necessary to prevent server and client-side exploits. HP's DVLabs and other research based on Open Source Vulnerability Database (OSDV) data found that several of today's successful "Top Ten" vulnerabilities were discovered (and patches were released for them) in the mid-2000s. Yet they continue to be exploited by attackers. Can you say with certainty that none of those vulnerabilities linger in your organization? How do you know?

While many software publishers don't bother to release patches, the two most aggressive vendors that are religious about patching are Microsoft and Adobe. Ironically, they somehow still account for the majority of client-side vulnerabilities, with the Office Suite products and Adobe Flash Player and Reader topping the list.

Even if you have the world's best patching process, your organization must strictly enforce policies to prevent re-introduction of vulnerabilities into your environment.

Case in point is Conficker and its infection of millions of unpatched systems since 2008. Three years after Microsoft issued a patch against the flaw, the worm is still looked upon as the most commonly encountered piece of malicious software, representing 15% of all infection attempts (as seen by Sophos customers) in the last six months.

What's happening is that plenty of infected PCs are spreading the contagion because too many of us are not patching. Apply patches consistently and you will be protected. But the constant noise of Conficker rebounding off network defenses is hiding some of the quieter and more targeted threats.

"By the end of 2011, Conficker was still the largest network threat in the world," says the most recent Sophos Security Threat Report.

Hand Microsoft credit for taking responsibility and for its transparency. In its own TechNet blog, the company admits with not an iota of ambiguity that "software itself is never completely secure."

It makes a case that we have all heard before but is worth repeating, namely that security management is a strategy and must be dealt with persistently. There is no complete solution and the work is never finished. There is no gauge to tell you that your network or systems are now secure or not secure. And it doesn't help to simply add more solutions to the stack.

SecureList and Kaspersky Labs researchers agree that the average PC has at least 12 vulnerabilities at any given time. No matter how well your organization manages patching - particularly on the client-side - and enforces policies, you are likely to see common vulnerabilities reintroduced into your IT environment. You are never totally secure. There is never a point when you can say the infrastructure is secure and walk away. The TechNet post asks, "Why can't you be 100% secure?" and gives the following reasons:

  • Because people are involved
  • Because users make mistakes
  • Because administrators also make mistakes
  • Because systems don't always get updated when they should
  • Because software itself is never completely secure

This is a fundamental concept that needs to be understood. There are too many variables and too many dependencies. The take-away lesson here is this: a false sense of security can be your worst enemy.

About Michelle Drolet
Michelle Drolet is founder of Towerwall, a data security services provider in Framingham, MA with clients such as PerkinElmer, Smith & Wesson, Middlesex Savings Bank, Brown University and SMBs. You may reach her at michelled@towerwall.com.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

SOA World Latest Stories
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will d...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus ...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one l...
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastruct...
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools ha...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, dep...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021


SYS-CON Featured Whitepapers
ADS BY GOOGLE