The State of Software Security: An Interview with ISS Founder and CTO Chris Klaus

Chris Klaus, the founder and chief technology officer of Internet Security Systems, was recently appointed to cochair the National Common Criteria Task Force. Klaus was selected as task force cochair by the Business Software Alliance, the Information Technology Association of America, Microsoft’s TechNet branch, the U.S. Chamber of Commerce and Tom Ridge, the secretary of the Department of Homeland Security.

Bringing together experts from the government, the commercial sector and academia, the task force is bent on examining ways to improve “common criteria,” a set of standards developed by a coalition of nations to help ensure that software products purchased and deployed by government agencies are secure.

Klaus recently expressed his views on the subject of common criteria during testimony before the House Government Reform Subcommittee on Technology. Also, as the inventor of the first commercial vulnerability-assessment and intrusion-detection products, Klaus will work on the task force to share his industry experience, helping to create a more effective software security certification process.

Klaus founded ISS in 1994, and since then the company has become an established world leader in security. ISS products and services are based on the security intelligence work conducted by the ISS X-Force research and development team — a recognized authority in vulnerability and threat research. To hear this insider’s perspective on where software security is headed, TechNewsWorld turned to Klaus for an exclusive interview.

TechNewsWorld: Please tell us a little about what you do at ISS.

Chris Klaus: As chief technology officer of ISS, I collaborate with customers, security experts, engineering and product management to define and evolve ISS’ vision and road map to continue to lead the security market with innovative products and services designed to fulfill customer needs.

TNW: As you cochair this new task force, what are the challenges you’re anticipating?

Klaus: In creating this task force, we are breaking new ground and bringing together new teams and expertise to better understand the current security issues we face as a nation. The challenge is to get the right committed parties to come to the table and work through these issues. I believe that once we truly understand the issues at hand, the security problems can be resolved by cooperation between customers, vendors and government parties.

TNW: Is the term “common criteria” just another way to say “standards”?

Klaus: Common criteria sets a standard for security certifications.

TNW: While there are many different software development models, you’re talking about the end product rather than the development process, right?

Klaus: The current certification process attempts to address both the functional components of the end product and the assurance components that can demonstrate that the product development process incorporated security measures.

TNW: What do you think of the current state of software security?

Klaus: The current state of software security could dramatically be improved. Most software, and technology, is developed and deployed without any consideration for security. This is changing as more companies are seeing computer security as a business risk and integrating it into their priorities for products and services deployed.

Today, software engineers are not required to understand and assess security risks in their products’ architecture and design. Security has not been a part of the quality assurance process. To get a degree in architecture for designing and constructing buildings, a professional would be required to understand physical risks and how to reduce those risks — that is, fire safety, earthquake issues and so forth.

As cyber risks are increasingly being recognized as a major issue for professional software engineers to identify and correct, this level of importance needs to be included in the college curriculum. Our future software engineers should be required to understand cyber-risk issues and how to correct them if we are going to make progress on software security. This way of thinking will help improve software security proactively rather than releasing a product and waiting until security researchers discover inherent vulnerabilities.

TNW: Do you think the situation will ever dramatically improve?

Klaus: Yes. Companies have only recently begun to purchase security products. However, as businesses increase their security spending, solutions will arise to meet demand. With the U.S. government becoming involved in cyber security, the information security industry will continue to innovate and introduce new ways to reduce cyber-risk while strengthening defense and protection mechanisms.

TNW: On a technical level, what differentiates ISS’ strategies from your competitors?

Klaus: There are many major differences between Internet Security Systems and other companies selling security technologies. Security is all we do. Our entire organization is focused on being the best security company in the world that provides not just the best security technology, but managed protection services and consulting services as well. ISS is a trusted security advisor to global enterprises and world governments, providing products and services that protect against Internet threats. We partner with companies to perform security assessments, build a security road map and business justification, then deploy the security solutions. The customer then has the choice whether to have ISS manage the technology or to manage security internally, in which case ISS will educate the customer on proper procedures and maintenance.

TNW: Your X-Force team has achieved a great deal of fame, particularly in light of recent virus outbreaks. What’s your strategy?

Klaus: ISS’ security research team, the X-Force, is the world’s leading security experts on vulnerabilities and threats. ISS spends about 18 percent of revenue on research and development to provide dynamic security. A typical security company spends approximately 10 to 11 percent to focus on threats (that is, exploits, viruses and worms) without understanding security vulnerabilities. Because of our regular research into vulnerabilities, we are able to provide our customers protection using a concept called “Virtual Patch” that enables the protected system to guard immediately against attack or misuse once a vulnerability has been discovered, often long before a patch or hotfix is available or can be applied. With Virtual Patch, companies can be protected against a threat before it even becomes public, while most other security companies wait until the exploit or worm has already caused damage in the wild. With new viruses and worms propagating around the globe in 15 minutes, the older model of security companies reacting to every new threat is severely flawed.

TNW: Your all-in-one intrusion-detection boxes have been well received in the industry so far. Can you tell us a little about how these boxes stay ahead of the game?

Klaus: ISS is the first company to produce an all-in-one protection appliance with a unified protection agent that analyzes all traffic simultaneously to apply firewall, antivirus, and intrusion prevention rules in a unified analysis process. Other security companies that have introduced — or plan to introduce — an all-in-one box have combined various stand-alone hardware blades or stand-alone security applications with multiple engines onto one system that all must be configured, managed and updated separately. ISS’ Proventia M Series appliances converge firewall, VPN, antivirus, IDS/IPS capabilities into one unified agent that needs to be configured, managed and updated only one time as one agent. In the future, Proventia will add application protection, content filtering and antispam functionality to the unified engine to extend protection across servers, desktops and laptops.

TNW: In an age where security specialists are in high demand, what do you think about the outsourcing-security strategy?

Klaus: ISS also differentiates itself as a security vendor by providing managed protection services for companies that want to outsource and extend their security team to provide 24-7 security monitoring and management at a much lower cost than managing security internally. In providing managed protection services, ISS allows customers the option of having ISS immediately respond to and block threats before they damage a customer’s system without alerting the customer and awaiting their response or approval to take action. The basis of this relationship is built on service-level agreements in which ISS promises to perform to a certain level agreed upon by the customer — or they receive a credit to their contract.

TNW: Technically speaking, do you believe Linux is more secure than Microsoft software? Or is Linux simply less targeted by malware writers?

Klaus: Both Linux and Microsoft have had many serious security vulnerabilities. Because of Microsoft’s market share, and the vast difference in the number of computers on the Internet running Microsoft operating systems compared to Linux, Microsoft remains a much larger target for hackers and virus or worm writers. There are Linux worms existing on the Internet, but the number of Linux machines that can be infected is minuscule compared to the serious ramifications when a Microsoft virus or worm is released. Therefore, the Linux exploits tend not to receive as much attention or awareness compared to a Microsoft threat. As we see more governments and companies standardizing on Linux within their own desktop and server infrastructure, Linux will become a bigger target in the future.

TNW: Anything else you’d like to add?

Klaus: As a member of the Technical Standards and Common Criteria task force, I have high hopes that we can raise the bar for security standards that will improve the overall protection of the government. Increasing the amount of security protection in commonly available products will help to improve the security of the general business and consumer public as well.