If you are not finding vulnerabilities, then you are not looking hard enough

Building security and privacy into products from concept to retirement is not only a strong development practice but also important to enable customers to understand their security posture and truly unleash the power of data.

“Security doesn’t just happen. If you are not finding vulnerabilities, then you are not looking hard enough,” said Suzy Greenberg, vice president, Intel Product Assurance and Security.

Ponemon Institute independently conducted a survey of 1,875 individuals in the United States; the United Kingdom; Europe, the Middle East and Africa; and Latin America who are involved in overseeing the security of their organizations’ IT infrastructure. In addition, respondents are familiar with their organizations’ purchases of IT security technologies and services.

Key findings from the study include:

• Seventy-three percent of respondents say their organization is more likely to purchase technologies and services from technology providers that proactively find, mitigate and communicate security vulnerabilities. Forty-eight percent say their technology providers don’t offer this capability.
• Seventy-six percent of respondents say it is highly important that their technology provider offer hardware-assisted capabilities to mitigate software exploits.
• Sixty-four percent of respondents say it is highly important for their technology provider to be transparent about available security updates and mitigations. Forty-seven percent say their technology provider doesn’t provide this transparency.
• Seventy-four percent of respondents say it is highly important for their technology provider to apply ethical hacking practices to proactively identify and address vulnerabilities in its own products.
• Seventy-one percent of respondents say it is highly important for technology providers to offer ongoing security assurance and evidence that the components are operating in a known and trusted state.

Vendor characteristics

The key findings indicate that specific vendor characteristics affect purchase decisions. In some cases, there is a significant gap between the importance of these characteristics and the ability of the provider to have the capability. Characteristics include:

• Transparency about security updates and available mitigations.
• Vendor’s ability to identify vulnerabilities in its own products and mitigate them.
• Ongoing security assurance and evidence that the components are operating in a known and trusted state.
• Hardware-assisted capabilities to help protect distributed workloads and data in use, and to defend against software exploits.

Developing the strongest products requires power, performance and security. Security capabilities rooted in hardware not only provide security assurance against current threats, but also improve software reliability. Additional layers of protection at the foundation and across workloads to protect against future threats.