Cisco CSO: Vulnerabilities Will Always Exist


With multiple product lines spanning networking gear, unified communications, video and collaboration tools, Cisco has a large footprint that it needs to secure. And that's the job of John Stewart, the chief security officer at Cisco and the man tasked with keeping security front and center.

Stewart is now leading a new effort within Cisco to emphasize a secure development lifecycle for all of the networking giant's products -- a need for continuous improvement in security practices that comes as the threat landscape continues to evolve.

"I believe we have to live with the idea that vulnerability will always exist," Stewart told "So in that construct, we have to design for it, be efficient about handling it and then ensure in the end that we try and avoid it as much as possible -- but adapt to it when it shows up."

Stewart described Cisco's approach to security as relying on multiple points of view, including those inside and outside the company, with the idea being that it's not possible for Cisco to know everything and to be able to discover every vulnerability on its own. The other key driver for Cisco's security policy, he said, is to try and find vulnerabilities first -- either on its own or with outside help -- before attackers do.

And for both, he stressed that it's critical to always keep looking for security vulnerabilities.

"The notion that you're ever done in this industry is a fallacy," Stewart said. "We never stop looking."

Secure development lifecycle

While security has long been a priority for Cisco, Stewart said that the company is now at an inflexion point. He noted that earlier this year, Cisco publicly disclosed a new approach to how security is baked into the development process.

"We call it the Cisco Secure Development Lifecycle (CSDL)," Stewart said. "Microsoft has its Microsoft Secure Development Lifecycle, and our effort is a credit to Microsoft's work. Microsoft, in fact, helped us quite a bit."

The Microsoft SDL began in 2003 as a company-wide effort to ensure that security was integrated into the product development process.

For Cisco, Stewart said one of the reasons why Cisco is moving to an SDL is to have a more consistent approach to finding and fixing vulnerabilities. Integrating security in every step of the development process is also critical in ensuring that Cisco is a trustworthy vendor for enterprises.

"I think there is a certain belief that with IT systems: People will start buying based on trust," Stewart said. "Do you trust that we developed it right, that there won't be problems in the future, and when there are problems, that Cisco will handle them correctly?"

Stewart added that while the Cisco Secure Development Lifecycle is now only in its nascent stages, he already has buy-in from his engineering teams and from Cisco's executive leadership.

Still, even with the new secure lifecycle approach, Stewart said there won't be any kind of final signoff from his group saying that a product is secure. Instead, he said that he's too cynical to use the word "secure," which he described as having a definition that can change over time.

For instance, he added that new flaws and software research occur all the time that can render vulnerable products that had been previously considered secure.

"The wrong conclusion is that it's 'secure,'" Stewart said. "I feel that it's very hard to make that happen."

Even though a "secure" product remains a moving target, Stewart still aims to have a very real contribution to a product's security, by developing an overview of each product that will show that it has been developed in compliance with Cisco's secure development policies and processes.

"If the process isn't perfect, then we'll improve it," Stewart said. "If there is a new wave of vulnerability from something we never thought of, then we'll improve the process. Essentially, the tide shows up and the boats all float."

And in doing so, Stewart is betting his work can help Cisco differentiate itself from its competitors based in part on the quality and trustworthiness of its security.

"Three years ago, I think we were still having the debate of whether security is an adjective or a noun -- is it embedded or is it separate?" he said. "Now I think it's absolutely expected that security, simplicity and management are three things that have to be part of all technologies."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.