Five US federal agencies, in collaboration with the Center for Internet Security and Oracle, are to announce a...
procurement initiative to improve software security later today.
Under the initiative, software suppliers will have to ensure that their products meet specific safe configuration requirements and that any fixes they provide to patch vulnerabilities are reliable and will not compromise those configurations.
The idea behind the initiative is to use the federal government's purchasing power to make software suppliers accept more responsibility for the security of their software, said Alan Paller, director of security research firm the SANS Institute.
The initiative was prompted by users' growing list of problems resulting from unsafe software configurations, he said, adding that software companies will have to ensure that default settings are secure to avoid problems later on.
The federal government recently launched a procurement program called SmartBuy which, it hoped, will elicit better pricing and contractual terms from software suppliers by consolidating purchases.
SmartBuy will allow federal agencies to negotiate more stringent terms relating to security, Paller said. The initiative being announced tomorrow is an example of that tougher stance.
Sources confirmed Oracle's participation, although an Oracle spokeswoman declined to comment.
The other federal agencies participating in today's announcement are the US Department of Homeland Security, the National Security Agency, the Defense Information Systems Agency and the US General Services Administration. Around 120 chief information officers and security specialists from government and industry are also taking part.
Jaikumar Vijayan writes for Computerworld