US government agencies need to better understand the
vulnerabilties of the software they are buying, said IT workers
from several government agencies during a software assurance
forum this week.
The forum, sponsored by the Department of Defense (DOD) and the
Department of Homeland Security (DHS), was the first step in a
long-term discussion between government agencies and suppliers on
how to create more secure software, said Joe Jarzombek, deputy
director for software assurance in the DOD Information Assurance
Directorate.
Prompting the forum was "a growing awareness of the fact that
we've got a lot of vulnerabilties in the software we're acquiring",
said Jarzombek, one of the event's organisers.
A major concern among government IT workers is a need to
understand how and where software is developed. In many cases,
software used by government agencies is developed by outsourced
workers, Jarzombek said, and government purchasers need to know
that information.
"We are essentially inheriting risks we don't know about," he
said. "We need to better understand those risks. When we put
software into our network we are placing an agent of whatever
company developed it on our networks."
The two-day meeting was attended by about 230 people, including
employees of the Federal Bureau of Investigation, State Department
and Central Intelligence Agency. Microsoft and Oracle were among
the software suppliers represented.
Jack Danahy, chief executive officer of Ounce Labs said the
forum showed an interest from government agencies to become more
active in purchasing decisions.
"It was very clear that software assurance was top of the mind
for these people," Danahy said. "The software companies recognise
that everything they do is going to help, but this problem is by no
means close to being solved."
Software developers should expect more security demands from
customers in the near future, added Mike Rasmussen, principal
analyst Forrester Research. Government agencies are under pressure
from Congress to improve their cybersecurity, and agencies are
moving toward making more security demands of software vendors.
A second software assurance forum is planned for February.
Grant Gross writes for IDG News Service