Report: 'Culture of security' would ensure software protection

The tools and techniques exist to ensure that software is developed securely, but leadership in establishing a governmentwide priority has been lacking, observers say.

Such a program would take time to produce results, Chess and Schmidt said.“You’re talking about years to effect wide-scale change,” Chess said.“I’m looking at about a five-year window to see a substantial change,” produced by development and adoption of good software, Schmidt said. “But you’ve got to start. You’re not going to get to that five-year point if you don’t start.”Schmidt said President Obama has demonstrated an understanding of the power and use of information technology and of the importance of security that makes him optimistic that a governmentwide software assurance program could now succeed.“Now we have a chance,” he said. “I feel more confident about it than I have for a long, long time.”

The tools, technology and techniques now exist to ensure that software is developed securely, but intruders still are compromising government information technology systems through known flaws because there is no comprehensive program to address these vulnerabilities, according to two security professionals.

Software assurance is a necessary step toward securing government systems, according to former White House security adviser Howard A. Schmidt.

“There are some really strong advocates and people who are doing it in government,” said Schmidt, now chief executive officer of the Information Security Forum Ltd. “But these are pockets. There is not the sense of urgency in making significant cultural changes.”

Schmidt was supporting the call by Fortify Software, a vendor of software-assurance tools, for a governmentwide program to focus on development and acquisition of secure software. A report released today by Fortify outlines best practices already being used by industry to build security into software. The appointment of a federal chief technology officer by President Obama offers an opportunity for government to adopt these best practices across the board, Fortify says.

“This new ‘culture of security’ should address software that is contracted, outsourced, [software as a service] or open-source code, as well as internally developed, and require a reallocation of resources and even a new way of thinking,” says the report, titled “Building In Security In Government Software.”

Schmidt said that, despite laudable goals, the Federal Information Security Management Act (FISMA) has not managed to solve security problems. But if FISMA has done nothing else, it has helped to identify the problem, said Fortify’s founder and chief scientist Brian Chess.

“We not only know it’s a problem, we know it’s a solvable problem and we know a lot about how to solve it,” Chess said.

The government report grew out of a broader study published earlier this year by Fortify and Cigital Inc. that identified a maturity model for building secure software. It looked at the practices used by a number of organizations with effective software-assurance programs and identified a set of benchmarks for an enterprisewide software-security program.

“They don’t all do the same thing,” said Chess, one of the authors of the maturity model. “But we think you can do a good job of describing what they are doing within this model.”

Companies studied included Adobe, EMC, Google, Qualcomm, Wells Fargo, and the Depository Trust and Clearing Corp., as well as Microsoft Corp., where Schmidt headed the Trustworthy Computing Security Strategies Group when the initiative was launched in 2002.

The software security framework identified in the maturity model included 12 practices organized under four domains:

  • Under Governance are practices that help organize, manage and measure a software security initiative: Strategy and metrics, compliance and policy, and training.
  • Under Intelligence are practices produce the corporate knowledge needed to carry out software activities: Attack models, security features and designs, and standards and requirements.
  • Under Software Security Development Lifecycle are specific development artifacts and processes: Architecture analysis, code review, and security testing.
  • Under Deployment are practices that work with traditional network security and software maintenance activities: Penetration testing, software environment, and configuration and vulnerability management.

The report released today cites a number of government examples of software-assurance programs within the Homeland Security Department and the National Institute of Standards and Technology, and recognizes the Air Force Software Assurance Center of Excellence as a model government initiative. But despite these efforts and the private sector programs, best practices are not being applied consistently across government. According to some estimates as much as 98 percent of successful intrusions of government systems are due to known software vulnerabilities.

The report makes five broad recommendations for agencies:

  • Organize for secure software development by appointing an accountable leader; a technical expert to oversee processes, technology and staffing; and a gatekeeper responsible for risk-based security processes and metrics.
  • Implement preventive rather than operational security standards, with a proactive model for developing and acquiring secure software.
  • Define a secure acquisition process spelling out what is expected from developers.
  • Conduct comprehensive training for managers and developers.
  • And finally, cleanse legacy systems.