System downtime caused by software vulnerabilities will triple by 2008 for firms that don't take proactive security steps

Organizations that don't include security as a criterion when building or buying software will see system downtime caused by security vulnerabilities grow from 5 percent of downtime in 2004 to 15 percent of downtime in 2008, according to Gartner Inc.

"Increasing Internet activity, along with the use of Web services, wireless connections and other new technologies, will lead to more vulnerable configurations," said John Pescatore, vice president and research fellow for Gartner. "These vulnerabilities will cause increased downtime for organizations that don't push security concerns into their processes for software development and procurement."

Gartner defines a "vulnerability" as a weakness in process, administration or technology that can be exploited to compromise IT security. Vulnerabilities can exist in any layer of the application stack, caused by weaknesses in just about every IT administration, process or design function.

"Basic changes to the operating systems and hardware platforms used by servers and PCs will make dramatic leaps forward possible in some areas of software security," said Pescatore. "However, through 2008, IT leaders will need to implement stopgap approaches to deal with new vulnerabilities associated with unsafe customer, employee and business partner platforms."

Organizations must do the following to avoid the escalation of major system problems caused by software vulnerabilities:

• Pressure vendors to build more-secure software
• Drive their development organizations to reduce security vulnerabilities in their own software
• Base software architectures on security standards
• Incorporate mechanisms to limit the "attack surface" of applications directly exposed to the Internet

Source: Gartner Inc.