Certification boost for Homeland Security

The US Department of Homeland Security is emphasising government security certifications as a means of improving software...

The US Department of Homeland Security is emphasising government security certifications as a means of improving software security while avoiding more invasive government intervention.

The policy of the existing administration, as with the previous two, has been to allow market forces to drive security improvements in the software industry. However, with little evidence of the effectiveness of that approach, the government's commitment to fostering change is under scrutiny.

At a homeland security conference in Washington DC, Microsoft chairman Bill Gates expressed staunch support for government testing, certification and rewards for security improvements.

That approach is backed by Robert Liscouski, assistant secretary for infrastructure at DHS, who distinguished government certification from the type of regulation the administration opposes. He said that although private-sector decisions about security always come down to a business-case analysis, companies are often forced to make poor software choices, given the state of software quality and security.

"If we can get the risk management industry to recognise good practices that can be certified...I don't see that as regulation," he said. "I see that as a very positive incentive to get the industry to go where it has to go."

Dave Carey, president of information assurance at Oracle and a former CIA officer, said that although Oracle supports various government certification processes, such as the Common Criteria and Federal Information Processing Standard 140, "they are neither easy nor cheap".

On average, evaluations of Oracle products have taken eight to 10 months and cost about $1m (£600,000) each, said Carey. "But once done, customers can have the confidence that the security features in the products they buy function as intended," he added.

Whit Diffie, chief security officer at Sun Microsystems, said the certification process can be shortened, but reducing its cost will require significant changes to the overall testing architecture and methodology.

Dan Verton writes for IDG News Service

Read more on IT risk management