Report: Government should adopt industry best practices in securing software
Connecting state and local government leaders
The tools and techniques exist to ensure that software is developed securely, but leadership in establishing a governmentwide priority has been lacking, observers say.
The tools, technology and techniques now exist to ensure that software is developed securely, but intruders still are compromising government information technology systems through known flaws because there is no comprehensive program to address these vulnerabilities, according to two security professionals.
Software assurance is a necessary step toward securing government systems, according to former White House security adviser Howard A. Schmidt.
“There are some really strong advocates and people who are doing it in government,” said Schmidt, now chief executive officer of the Information Security Forum Ltd. “But these are pockets. There is not the sense of urgency in making significant cultural changes.”
Schmidt was supporting the call by Fortify Software, a vendor of software-assurance tools, for a governmentwide program to focus on development and acquisition of secure software. A report released today by Fortify outlines best practices already being used by industry to build security into software. The appointment of a federal chief technology officer by President Obama offers an opportunity for government to adopt these best practices across the board, Fortify says.
“This new ‘culture of security’ should address software that is contracted, outsourced, [software as a service] or open-source code, as well as internally developed, and require a reallocation of resources and even a new way of thinking,” says the report, titled “Building In Security In Government Software.”
Schmidt said that, despite laudable goals, the Federal Information Security Management Act (FISMA) has not managed to solve security problems. But if FISMA has done nothing else, it has helped to identify the problem, said Fortify’s founder and chief scientist Brian Chess.
“We not only know it’s a problem, we know it’s a solvable problem and we know a lot about how to solve it,” Chess said.
The government report grew out of a broader study published earlier this year by Fortify and Cigital Inc. that identified a maturity model for building secure software. It looked at the practices used by a number of organizations with effective software-assurance programs and identified a set of benchmarks for an enterprisewide software-security program.
“They don’t all do the same thing,” said Chess, one of the authors of the maturity model. “But we think you can do a good job of describing what they are doing within this model.”
Companies studied included Adobe, EMC, Google, Qualcomm, Wells Fargo, and the Depository Trust and Clearing Corp., as well as Microsoft Corp., where Schmidt headed the Trustworthy Computing Security Strategies Group when the initiative was launched in 2002.
The software security framework identified in the maturity model included 12 practices organized under four domains:
- Under Governance are practices that help organize, manage and measure a software security initiative: Strategy and metrics, compliance and policy, and training.
- Under Intelligence are practices produce the corporate knowledge needed to carry out software activities: Attack models, security features and designs, and standards and requirements.
- Under Software Security Development Lifecycle are specific development artifacts and processes: Architecture analysis, code review, and security testing.
- Under Deployment are practices that work with traditional network security and software maintenance activities: Penetration testing, software environment, and configuration and vulnerability management.
- Organize for secure software development by appointing an accountable leader; a technical expert to oversee processes, technology and staffing; and a gatekeeper responsible for risk-based security processes and metrics.
- Implement preventive rather than operational security standards, with a proactive model for developing and acquiring secure software.
- Define a secure acquisition process spelling out what is expected from developers.
- Conduct comprehensive training for managers and developers.
- And finally, cleanse legacy systems.