US government agencies need to better understand the vulnerabilties of the software they are buying, said IT workers from several government agencies during a software assurance forum this week.
The forum, sponsored by the Department of Defense (DOD) and the Department of Homeland Security (DHS), was the first step in a long-term discussion between government agencies and suppliers on how to create more secure software, said Joe Jarzombek, deputy director for software assurance in the DOD Information Assurance Directorate.
Prompting the forum was "a growing awareness of the fact that we've got a lot of vulnerabilties in the software we're acquiring", said Jarzombek, one of the event's organisers.
A major concern among government IT workers is a need to understand how and where software is developed. In many cases, software used by government agencies is developed by outsourced workers, Jarzombek said, and government purchasers need to know that information.
"We are essentially inheriting risks we don't know about," he said. "We need to better understand those risks. When we put software into our network we are placing an agent of whatever company developed it on our networks."
The two-day meeting was attended by about 230 people, including employees of the Federal Bureau of Investigation, State Department and Central Intelligence Agency. Microsoft and Oracle were among the software suppliers represented.
Jack Danahy, chief executive officer of Ounce Labs said the forum showed an interest from government agencies to become more active in purchasing decisions.
"It was very clear that software assurance was top of the mind for these people," Danahy said. "The software companies recognise that everything they do is going to help, but this problem is by no means close to being solved."
Software developers should expect more security demands from customers in the near future, added Mike Rasmussen, principal analyst Forrester Research. Government agencies are under pressure from Congress to improve their cybersecurity, and agencies are moving toward making more security demands of software vendors.
A second software assurance forum is planned for February.
Grant Gross writes for IDG News Service