Offshore software development needs security checks, warns CEO

An executive from a security software company pointed to offshore software development as one reason for security vulnerabilities...

An executive from a security software company pointed to offshore software development as one reason for security vulnerabilities in a hearing before a US House Subcommittee yesterday.

Steve Solomon, chief executive officer of the Dallas-based Citadel Security Software said software companies must add additional controls to the development process for products produced outside the US.

"Software development organisations should be required to have all overseas-developed software examined for malicious capabilities embedded in the code," Solomon told the committee.

"Industry and government must work together to develop some form of standard or review process to address this growing threat."

Solomon's comments were among the few that generated debate in the latest in a series of cybersecurity hearings before the subcommittee. Much of the hearing was devoted to government agencies detailing their cybersecurity efforts, but Solomon's comments drew disagreement from Microsoft and Juniper Networks representatives.

"It really doesn't matter where software is developed," said Dubhe Bienhorn, vice president of Juniper Federal Systems. "It is a process that requires very tight controls and very intense scrutiny."

Solomon defended his comments by claimng software suppliers see offshore development as "easy and cheap".

"Maybe my colleagues on this panel have [offshore] processes in place," he added. "A lot of companies don't."

When asked by subcommittee chairman Adam Putnam if the patching process and the alert process that accompanies it is working well, Scott Culp, senior security strategist for Microsoft, said software suppliers were working hard to notify government and private customers.

"We have a very active interest in making sure as many people as possible know about our mistakes and how to fix them," Culp said.

Putnam then asked if Culp was generally satisfied with the patch and alert process Microsoft has now. Culp answered that he was never satisfied. "I'd like to send out a lot fewer of those alerts," he added.

Putnam had taken both private companies and government agencies to task for not moving fast enough to address continuing cybersecurity concerns.

"As a nation, we have taken very dramatic steps to increase our physical security, but protecting our information networks has not progressed at the same pace, either in the public or in the private sector.

"I remain concerned that we are collectively not moving fast enough to protect the American people and the US economy from the very real threats that exist today ... The time for action is now."

Citadel's Solomon also suggested that companies relying on patch management services have "false security" because they are missing larger problems, such as the lack of broad security policies and recovery after attacks.

"On average, only 30% of an organisation's verified vulnerabilties relate to patching, leaving their networks exposed to the remaining 70% of the problem, which are more dangerous and easily exploited," he said.

"These products do not address the problem of full lifecycle vulnerability management, and effectively become part of the problem."

Louis Rosenthal, executive vice president of ABN AMRO Services, called on the subcommittee to find ways to encourage software companies to "accept responsibility" for the role their products play in supporting US critical infrastructure.

He also asked the subcommittee to support a measure making software vendors more accountable for the quality of their products and for continuing patch support for older, but still viable, versions of their software.

Rosenthal suggested that incentives such as tax breaks, cybersecurity insurance and lawsuit reform could help software companies make more secure products.

Meanwhile, the US Department of Homeland Security is working with private companies to pump up the programmes offered by US-Cert, the government's computer emergency readiness team, said Amit Yoran, director of the National Cyber Security Division at DHS.

US-CERT launched a national cyber alert system in January, and around mid-year it plans to roll out a partner program to encourage private companies and universities to work with government agencies.

Goals of the partner program include the better sharing of information on cyber threats, improving cyber response and increasing discussion about cybersecurity, Yoran said.

"We've been encouraged by the enthusiasm of the private sector to partner with the Department of Homeland Security," he added.

Grant Gross writes for IDG News Service

Read more on IT risk management