"We need secure coding in the development stage," Selby says, and that is coming, but it is not here yet. He suggests that businesses use open platforms when possible because they often receive more scrutiny. "More eyes on the code gets protocols fixed faster," he says.
Quality assurance programs and production testing of applications are key to making sure they cannot be hacked. "Theses protocols need to be fuzzed," he says, referring to the process of barraging an application with random input data to find data a way to break the application. IBM, White Hat Security, SPI Dynamics and others sell tools to put applications through the wringer before they are exposed to real-world traffic that may include hacking attempts, Selby says.
Web application firewalls, automated source-code analyzing and manual testing of applications for vulnerabilities also can help, says Michael Montecillo, an analyst with Enterprise Management Associates.
10. Rust-out
Oddly, being too diligent in protecting against threats may become a liability if those threats are no longer the most dangerous to the corporate network, Young says. "You may spend money on upgrading an [intrusion-detection system], but that might not have the most value for your organization," he says.
He calls this phenomenon rust-out because the usefulness of a tool may wear away over time without businesses recognizing this and they may blindly upgrade without weighing whether it delivers the most cost-effective protection for the network. Newer, more potentially damaging threats may warrant new tools, Young says, and because businesses always work within budgets, they must regularly review their entire security architecture to make sure its effectiveness hasn"'t corroded with time. This can challenge well-established security thinking such as the value of firewalls, says Babeck Pashdar, a security analyst and founder of consulting firm Bat Blue. "Firewalls are noise-management only," he says. "A firewall has only the ability to say who the source is, the IP address, what the destination is and the conduit [the traffic] uses. It does not have the ability to look within that conduit to tell if it's well- or mal-intended."
The best remedy for rust-out is regular bottom-up review of security architecture in context with the latest threat patterns and spending money on the most effective defenses, Young says. "Issues of balance are least exciting but most effective," he says. "You can"'t have the IT-security budget exceed the IT budget."