A. Awards for Software Companies (and system and network hardware vendors)

1. Delivering secure configurations of their software in accordance with consensus security standards.

According to research published in late 2002 by the US Department of Defense, when user organizations configure their systems by turning off unnecessary services and making other similar safe settings, they remove 90% of the vulnerabilities that can be tested using vulnerability scanners.

Consensus benchmarks for three operating systems (Windows 2000, Solaris, and Cisco IOS) have been agreed upon by a huge consortium of user organizations including more than 60 commercial organizations from Wachovia to Shell and major government organizations such as DISA (Defense Information Systems Agency - that sets configuration requirements for DoD systems), the National Security Agency, the National Institutes of Standards and Technology, plus government agencies in countries outside the US. A dozen additional consensus benchmarks are under development. They may be downloaded at no cost, along with free tools that test your systems and tell you how close your configurations are to the benchmarks, from www.cisecurity.org.

Vendors that sell systems preconfigured to match these consensus standards radically reduce the effort required of system administrators who otherwise are forced to laboriously and manually remove services installed in the vendor's unsafe configuration. These awards may go to the software vendor or if software is delivered by a hardware manufacturer (such as Dell or HP or IBM or Gateway), then the hardware vendor may win the award.

2. Providing application testing laboratories to ensure applications work effectively on secure configurations.

Users take a risk when they configure systems safely because too many application software developers - both inside and outside the user organizations - build new software packages assuming the operating system, database, and web servers are configured in the most open and insecure way possible. That means a safe configuration may cause an application to fail. Managers need their systems to run, so they veto security if security disables applications. Often the conflicts between security needs and application needs flare into major confrontation between user groups and security managers.

One solution to this problem is to require application developers to test their applications on a safely configured version of the operating system/database/web server. This shifts responsibility for making sure the application works to the developers who are obviously the group in the best position to make the application run in the safe environment.

A securely configured test bed provided by the vendor organizations during the beta release process can give application vendors sufficient tie to make sure any needed changes are in place so the application does not fail when it is installed on a securely configured system.

3. Training of software developers to recognize common security errors in their code and to eliminate those errors.

Most security bugs in software are the product of software errors that are seen over and over again. When, for example, a group of federal IT and IT security managers visited Microsoft in 2001, Steve Ballmer entered the meeting and before saying another word, he complained aloud, "You would think the programmers would be able to get rid of buffer overflows by now." A new buffer overflow security vulnerability in a Microsoft product had just been announced.

Application developers do not "get rid of buffer overflows" because they never learned how they create buffer overflows. A massive, mandatory retraining program is the only short-term fix for this problem.

4. Testing of software for security vulnerabilities.

Software companies can improve security of products by implementing computer-mediated security bug testing programs for all code that is delivered. Awards in this category will not be made merely for testing software because that is a common practice. It will be given to the organizations that show the most comprehensive and innovative testing programs.

5. Automated updating and patching (and providing update servers for user control of updating inside client organizations) of software to remove security vulnerabilities.

Thirty to fifty new security vulnerabilities are discovered every week. About ten percent are big enough problems (because they allow root compromises and are easily exploited remotely) to require rapid action. Sadly, the majority of people who buy and install computers do not have the skills needed to assess the various vulnerabilities and to understand the patches and updates. They need help either from the vendor or from experts inside their organization. Vendors that force users to navigate complex security pages and choose applicable patches at the vendor web sites are not doing enough.

The vendors that win in this category will have solved either the automated remote patching problem from their own servers or have delivered effective update servers to clients so the user organization's security experts can test new patches and then, once they feel comfortable, automatically deploy the patches to all affected systems.

6. Delivering standards-based encryption that is invoked automatically.

Why are so many credit cards numbers stolen from Internet-connected computers? It is partly because of remotely exploited security vulnerabilities. But the organizations that store credit card numbers and other sensitive information could have another layer of protection if they encrypted the sensitive data. Most of them do not use encryption because the vendors do not turn encryption on automatically nor do they make encryption a natural part of the application development process. Awards in this category go to the system and database management software vendors who make encryption easiest for application developers and users.

7. Delivering operating systems that compartmentalize and isolate attacks.

A sophisticated operating system can enable operating systems to defend themselves by compartmentalizing attacks. With this type of technology, even when an attacker succeeds in exploiting a vulnerable service, the attacker cannot get to other sensitive information. Awards in this category will go to vendors that sell hundreds of thousands or millions of operating systems that seamlessly integrate the new technology into new versions of their main product.

B. Awards for Network Equipment Manufacturers

1. Delivering line rate filtering for ISPs to use to block attacks.

When a worm starts spreading through the Internet, users generally cannot act fast enough to protect their vulnerable systems. But ISPs could. Sadly, most routers do not have sufficient processing power to allow the large ISPs to filter traffic at the rate it passes through them. Yet they are in the best position to act. Routers that allow line rate filtering will add cost to the network, but they will provide the best possible "rapid response" to worms.

2. Delivering systems with out of band management communications.

Hackers can do a great deal of harm to the operations of the internet by attacking routers. Routers are vulnerable because they can be targeted and attacked from any system on the Internet. If, instead, router management was invisible to all but authorized systems, then they would have an important layer of defense. The award in this category will be made to the organization that has a large scale solution that can be inexpensively deployed.

3. Organizing ISPs for rapid industry-wide action.

Although ISPs may not have line-rate filtering, they can still act quickly to block access to infected systems - but only if they get early warning. Network system vendors are in the best position to create virtual networks of their clients' top security experts who can, once they know and trust each other, quickly share data during an attack.

C. Awards for Internet Service Providers

1. Rapid recovery from Denial of Service attacks against customers.

With hundreds of thousands of systems now under the control of attackers, distributed denial of service attacks are a plague on the Internet. Large ISPs report that they deal with several dozen such attacks every day. Customers involved in Internet-based business cannot function if their Internet connection is overwhelmed so rapid, automate response to such attacks is essential to survival. The award in this category will go to the ISP that made the greatest innovation in stopping such attacks and shared it with competing ISPs.

2. Stopping worm damage On The Wire.

Although line rate filtering would be the best defense an ISP could offer when a worm is tearing through the Internet, rapid blocking of certain addresses can also make a big difference. This award will go to the organizations that can best demonstrate how they protected thousands of systems from being infected or how they radically reduced the damage that a worm was causing.

3. Providing firewalls for clients.

Most users of DSL and cable modems are at least partially aware that they should have a firewall but they delay installing one because they are also unaware of how to acquire, install and configure such a system. ISPs can help by providing pre-configured firewalls as part of the ISPs service.

4. Providing spam elimination for clients.

Spam is a bother. Software is available that can filter spam but it misses a great deal of spam and sometimes blocks mail that was requested and needed. The award in this category goes to the large ISP that does the best job of blocking spam on behalf of, and with the participation of, its users.

5. Providing email filtering (for viruses and other malware) for clients.

Most PC users have virus detection systems, but they almost never can be updated rapidly to stop a new, fast-moving virus. Large corporations have deployed email filters that search for malicious code and that can be updated very quickly. ISPs can do the same job for their users and this award will go to the ISPs that do the most effective job of email filtering.