Five US federal agencies, in collaboration with the
Center for Internet Security and Oracle, are to announce a
procurement initiative to improve software security later
today.
Under the initiative, software suppliers will have to ensure
that their products meet specific safe configuration requirements
and that any fixes they provide to patch vulnerabilities are
reliable and will not compromise those configurations.
The idea behind the initiative is to use the federal
government's purchasing power to make software suppliers accept
more responsibility for the security of their software, said Alan
Paller, director of security research firm the SANS Institute.
The initiative was prompted by users' growing list of problems
resulting from unsafe software configurations, he said, adding that
software companies will have to ensure that default settings are
secure to avoid problems later on.
The federal government recently launched a procurement program
called SmartBuy which, it hoped, will elicit better pricing and
contractual terms from software suppliers by consolidating
purchases.
SmartBuy will allow federal agencies to negotiate more stringent
terms relating to security, Paller said. The initiative being
announced tomorrow is an example of that tougher stance.
Sources confirmed Oracle's participation, although an Oracle
spokeswoman declined to comment.
The other federal agencies participating in today's announcement
are the US Department of Homeland Security, the National Security
Agency, the Defense Information Systems Agency and the US General
Services Administration. Around 120 chief information officers and
security specialists from government and industry are also taking
part.
Jaikumar Vijayan writes for
Computerworld