Category: Trends

The research shows that enterprises worldwide will hire about 800,000 more security professionals by 2008. The research leaves no doubt that human beings will be needed to thwart the threats caused by other human beings.

Among other findings of the IDC/ISC research: The compounded annual growth rate of hires worldwide between 2003 and 2008 should be 13.7 percent.

“There are still many organizations around the globe that haven’t fully addressed their security issues,” Carey noted. Some of the most insidious damage to data is accomplished as inside jobs.

When viewed from a macro level the striking characteristic of threats is change. “It’s a continuously dynamic environment,” Carey added.

The vulnerabilities of networks and data centers evolve, just as the methods employed by hackers do.

The key to a successful security strategy is involvement.

It appears the enterprises that remain the free of viruses, break-ins and thefts will be those that refrain from throwing money or software at problems, and instead bring people in to respond to the shifting sands of I.T. hazards

http://www.cio-today.com/story.xhtml?story_title=I_T__Security_a_People_Problem__Workforce_To_Nearly_Double_by_____&story_id=28254

“We’re seeing something equally as important as threat mitigation, and that’s command and control,” said Phebe Waterfield, an analyst for the Boston-based research firm.

Companies are being held accountable for their security, and with accountability comes the need for a more mature process.” Waterfield reached that conclusion after talking to representatives from 606 enterprises about their security budgets over the past year.

She said a variety of people were interviewed, including chief financial officers and chief security officers. “The respondents all had input into how their company’s security dollars are spent,” she said.

While threat mitigation has been the chief concern of enterprises in recent years, Waterfield said the trend is shifting in favor of command and control companies.

The study predicts the global security market will generate $12.9 billion in revenue for 2004.

“The threat mitigation segments are perimeter firewalls, network integrity systems, application gateways and system integrity software,” Waterfield said.

Command and control, solutions for managing network security, representing 40% of the security market with an estimated $5.2 billion in revenue for 2004. “Command and control includes identity management, security event management, vulnerability assessments and patching, and intrusion detection audits,” Waterfield said. While threat mitigation services have generated more revenue and a larger market share this year, Waterfield said command and control services have shown the most growth and the feedback she received indicates the trend will continue.

Managed security services, the use of external expertise in operating and improving the performance of security processes. This component includes augmenting in-house operational staff, enhancing security response, reducing operational expenses and improving the security process and strategy,” Waterfield said.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1028712,00.html

In this year’s survey (detailed results will appear in VARBusiness’ Jan. 10, 2005, issue and online at www.varbusiness.com), VARs also named Voice over IP, 64-bit processors and radio-frequency identification (RFID) as areas they consider likely to constitute breakthrough technologies for their businesses in 2005.

In thw article, they provided some perspective behind those projections, with technology-based snapshots of these hot segments.

Blade Servers Bust Out Spurred by the advent of new 64-bit microprocessor technologies and the enthusiastic uptake of Linux, VARs don’t find many areas where they move more units than in blade servers. The market is growing at a torrid pace — blade revenues for this year’s second quarter total $233 million, according to IDC, for an annual run-rate of nearly $1 billion. So it’s not unexpected that Tier 1 vendors IBM, Hewlett-Packard and Sun Microsystems are stoking their respective channels with hot products aplenty as they fight a pitched battle for the blade high ground.

With its BladeCenter lineup, IBM is successfully working a dual-processor strategy. Some of the models, like the JS20, sport IBM’s homegrown Power architecture.

For its part, HP is thinking beyond the server box when it comes to its BladeSystem family, pitching it as a total “infrastructure” solution that uses tools such as HP’s Systems Insight Manager software to create a virtualized network.

Resellers would do well to study HP’s tack, since marketing mere blades doesn’t seem nearly as savvy as selling full-fledged utility computing solutions.

And though it is a ways back from IBM and HP, Sun, nevertheless, is going full-speed ahead in blades. Its Sun Fire B100x and B1660 blade platforms give VARs the flexibility of offering customers a mix-and-match assortment of Sparc and x86 processing power, and Solaris and Linux operating systems control.

There’s Something About 64 Bits What’s bigger than a desktop PC but not quite as hefty as those expensive RISC-processor-based boxes that are replacing yesteryear’s mainframes?

Unit sales of commodity servers based on AMD’s high-flying Opteron processors soared 81 percent in the second quarter of 2004, IDC says. Its a hybrid 32-/64-bit CPU, which can run both 32- and 64-bit software via a set of 64-bit instruction-set extensions.

AMD kicked off the category in 2003 with its AMD64 architecture and companion 64-bit instruction-set extensions. These are implemented in AMD’s Opteron server (and companion Athlon 64-bit desktop) processors.

IBM, HP and Sun have all rolled out Opteron servers, as have numerous white-box builders.

Seething on the sidelines as AMD’s technology was rapidly adopted by the market, Intel fired back this summer with its own extensions, called EM64T, and a 64-bit version (formerly code-named Nocona) of its tried-and-true Xeon server CPU. The 64-bit Xeon should stoke additional volume deployments of commodity servers in 2005, IDC says.

Looking ahead, next year will see products push ahead in the form of multicore processors from both Intel and AMD.

Above commodity platforms, at the high end of the market, IBM and Sun are both fielding 64-bit processors. The Power 5, which was publicly unveiled in March, is IBM’s latest iteration of its RISC microprocessor architecture. for Sun, it’s producing a dual-core UltraSparc IV chip, while it paves a path to the 2006 launch of its groundbreaking eight-core Niagara processor.

As for Intel’s high-end play, the Itanium 2, the company has already demonstrated the next-generation version of that processor. Code-named Montecito, it has a multicore design and more than 1.7 billion transistors.

Linux Becomes Likeable No longer the little OS that could, Linux is making a big play to take its place in the center of the enterprise. Although Microsoft has thrust its Windows Server offering into that same space — and is spending $1.7 billion annually in support of its channel partners to make sure it maintains its leadership position — Linux in the enterprise is still moving forward, slowly but surely. Both Red Hat and Novell’s SuSE operation have rolled out enterprise-class versions of their Linux distributions.

Sales of Red Hat Enterprise Linux have reached 144,000 units, including 115,000 subscriptions to enterprise IT servers.

Meanwhile, sales of subscriptions to SuSE Linux Enterprise Server reached 19,000 units in Novell’s recently completed third fiscal quarter.

To help spur deployment, the two vendors are also pursuing reseller programs, albeit with different flavors.

Red Hat, which has rubbed some VARs the wrong way with the perception that it’s out to write as much business for itself as it can, has a list of partners for its Enterprise Linux family, though they skew toward larger OEMs and ISVs, such as BEA, HP, IBM and Veritas.

SuSE had a fairly small partner program when it was acquired by Novell in late 2003. Novell has spent the past year working to fold SuSE into its much larger channel operation.

Boding well for both companies is the fact that vendors such as HP, IBM and Oracle tend to remain Linux-agnostic and support both Red Hat and SuSE according to their customers’ wishes.

Moving ahead on the technology front, watch for Linux to get ever more capable, given the recent addition of support for scalable, high-end servers made possible by the new 2.6 kernel.

Security also will command increased attention, as the kernel enables Linux purveyors to make their distributions compliant with the emerging EAL 4 international standard.

At the same time, security software is expanding to protect against identity theft and proactively assess and stop hacker attacks before they breach the network edge. Computer Associates, for one, has extended its eTrust Security Management software line to encompass such solutions.

VoIP has moved to a new level of reliability that relegates to the past nasty dropouts and other glitches surrounding the digital data packets used to carry voice traffic over the Internet. And, as a $2 billion annual business, it’s finally becoming a field with profit potential.

The most capable of today’s storage systems deliver cutting-edge virtualization capabilities to create separate pools of storage for different application profiles. Logical partitioning and simplified replication features deliver streamlined storage management and optimized application performance.

http://www.securitypipeline.com/news/54200445;jsessionid=BGYJHLBB25A4IQSNDBCCKH0CJUMEKJVN

Among the business leaders taking the stage were George Reyes, chief financial officer of Web search giant Google, and James Goodnight, chief executive of SAS. Along with experts such as Blythe McGarvie, president of consulting group Leadership for International Finance, and Angelo Messina, CFO of manufacturing giant Carrier, the business leaders outlined the challenges of being a top-ranking finance executive.

Predictably, the issues most frequently touched on were related to the glut of accounting scandals unearthed at companies such as Enron over the past several years, and the daunting task of meeting the guidelines set forth in the Sarbanes-Oxley Act, the legislation crafted in the wake of those scandals to protect against corporate fraud.

Reyes noted the importance of establishing better protective measures but said Google’s efforts to comply with Section 404 of Sarbanes-Oxley have become increasingly expensive. The 404 guideline, which took effect earlier this month, demands that publicly traded companies have policies and controls in place to secure, document and process material information dealing with their financial results.

“It’s always true that a smart bad guy can extract what they need (to commit fraud), but I have real concerns over the rising costs” of Sarbanes-Oxley, Reyes said. “We’ve seen (Section) 404 certification fees triple, and with a scarcity of resources on the market, people are taking advantage.” Reyes said one benefit of working to meet the requirements of Sarbanes-Oxley has been the opportunity to employ new accounting process measures that benefit the company as a whole, not just in meeting the regulatory legislation’s terms. While he believes that costs related to addressing Sarbanes-Oxley remain “out of whack,” Reyes said he hopes activity in the sector will cool down over the next two years.

Goodnight, who offered a colorful illustration of how some companies may actually be able to save money by purchasing their own airplanes, as he says SAS has, focused on the growing need for chief executives to nurture close relationships with their CFOs.

The SAS executive said that in addition to “keeping their CEOs out of jail,” chief financial officers must become more involved in corporate strategy, not just smarter bookkeeping. “The relationship needs to be more collaborative than it ever was in the past,” Goodnight said. With the accounting fallout bringing corporate governance to the forefront, that adds a need for additional levels of trust and mutual dependency between CEOs and CFOs.”

The executive referred to the CFO as the chief executive’s “ideal confidant,” someone who needs to look beyond the numbers on a company’s balance sheet to help understand where a business needs to go in order to improve its prospects. “CEOs need to include their CFO as a trusted partner to balance internal and external factors and transform their role from providing transparency to creating a better corporate vision,” Goodnight said.

Among the other issues addressed by Google’s Reyes were the search company’s initial public offering, in August 2004. The CFO called the stock offering the “critical defining moment” for Google, and he admitted that challenges such as the publishing of a controversial executive interview in Playboy magazine made the event all the more harrying. “In some ways, we didn’t perform as well as possible, as with the Playboy article, which was a self-inflicted wound,” Reyes said. “But, as our board of directors and investors look back, we couldn’t be happier with the outcome, as the stock is performing well.”

Reyes also detailed his role in promoting Google’s human resources efforts, including the company’s strategy of keeping employees on campus by offering on-site benefits such as gyms, masseuses and an abundant cafeteria. The executive even broached the topic of the corporate expensing of stock options, a concept that has ruffled feathers throughout the IT industry, based on the belief that the practice will discourage companies from offering the incentives to employees. “Equity and stock options have been at the heart of (Silicon Valley’s) attraction,” he said.

“But there’s a new sheriff in town, and he’s beating the drum this year.

http://news.zdnet.com/2100-3513_22-5460352.html?part=rss&tag=feed&subj=zdnet

Approximately 680,000 of this expanded workforce will work in Europe.

IDC analysed responses from 5,371 full-time information security professionals in 80 countries worldwide, with nearly half employed by organisations with $1bn or more in annual revenue. The web-based study is described as the first major study of the global information security profession ever undertaken.

On average survey respondents had 13 years work experience in IT and seven years specialised security experience. This wealth of skill is often well rewarded.

Around 10 per cent of the survey participants in both the US earned more than $125,000 per annum; 22 per cent of US residents who took part in the survey earned between $100,000-$120,000 a year (Europe 16 per cent).

At the other end of the scale, five per cent of security pros in the states and nine per cent in Europe earn less than $50,000.

In Asia, 60 per cent of security professionals earn less than $50,000.

Managers hiring security professionals (93 per cent) said certification was important in choosing potential recruits; but commercial awareness is also becoming increasingly important.

“The study shows a shift in the information security profession, indicating that business acumen is now often required along with technology proficiency,” said Allan Carey, the IDC analyst who led the study. “This widening responsibility means information security professionals not only have to receive a constant refresh of the best security knowledge but also must acquire a solid understanding of business processes and risk management to be successful in their roles.”

“With competing demands on industry and government to expand access to services and information, the highly trained and experienced information security professional must now be an active participant to fulfil stringent regulatory requirements and provide proactive solutions to circumvent emerging risks,” he added.

http://www.theregister.co.uk/2004/11/09/isc2_security_job_survey/

This article highlights both technical and business trends in web application security.

Traditionally, vulnerability analysis (and its management) has been focused at the network or operating system level. Trends are leaning towards merging the ability to scan for network vulnerabilities and application-level vulnerabilities together. The goal in this merging of network and application vulnerability analysis is the ability to use data found from one level and drive a more focused approach for the other level.

Another key area where we will see more integration is in the area of network management consoles. Currently, most consoles are geared towards soliciting network device information (e.g. firewalls). On the network side, consoles can be set up to attach patch management solutions to notifications of problem detection. However, many web applications are proprietary and thus unique to a particular customer or department within a large corporation.

Mercury Interactive, a major player in automated testing tools, recently announced partnerships with some leading application security testing companies that provide an integrated solution between Mercury’s testing products and the vendors’ application vulnerability detection tools. Some vendors have created development tools for enhancing code security, but to date, sales of these tools have been relatively poor. In addition, most of these code scanning tools are unable to provide complete application awareness and can only focus on a specific module of code.

This has started to prompt some awareness in the developer community. However, it is still too early for application tools to incorporate sophisticated integration, as web application security analysis still lies primarily in the hands of security professionals such as penetration testers, QA engineers, and auditors.

While no formal direction has yet been established, industry trade groups, such as the Information Technology Association of America (ITAA), are anticipated to start providing guidelines for web application security for offshore code.

With the rise of cross-site scripting (XSS) attacks, tools are still only focused on inline detection (the ability to attack and detect success in the same process). Complexities yet to be tackled include performance (as large amounts of data from the web application and user input need to be stored and referenced with each new interaction) and accuracy (by reducing false positives). For example, some large financial organizations have recently had issues with cross-frame scripting (XFS), a particular type of phishing attack that poisons a single frame in a page. While web services has been very slow in mass adoption, some users have sites and online applications that depend on web services, and therefore have an urgent need to test for web services vulnerabilities.

For the most part, vendors in this space have focused on simple detection techniques such as XML (malformed) schema based attacks and applying known web application vulnerabilities in non-XML applications to XML applications. This generally involves the ability to write scripts to address new and cutting-edge vulnerabilities. Vendors have been using scripts that use languages ranging from ones that look like Visual Basic to JavaScript and Nessus’ NASL language.

For the immediate future, most well-defined tools will choose multiple script languages to incorporate open source tools as well as proprietary methods.

Another area poised for substantial increases in effectiveness is the ability to handle testing of client-side technology for web applications.

Some of the more prominent standards include the Application Vulnerability Description Language (AVDL) and Web Application Security (WAS), which are both XML-based standards.

http://www.securityfocus.com/infocus/1809