Security vendor says offshore development needs checks

An executive from Citadel Security Software Inc. pointed to offshore software development as one reason for security vulnerabilities in a hearing before a U.S. House Subcommittee Wednesday.

Software companies must add additional controls to the development process for software produced outside the U.S., said Steve Solomon, chief executive officer of the Dallas, Texas-based Citadel.

"Software development organizations should be required to have all overseas-developed software examined for malicious capabilities embedded in the code," Solomon told the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. "Industry and government must work together to develop some form of standard or review process to address this growing threat."

Solomon's comments were among the few that generated debate in the latest in a series of cybersecurity hearings before the subcommittee. Much of the hearing, which lasted more than two hours, was devoted to government agencies detailing their cybersecurity efforts, but Solomon's comments drew disagreement from Microsoft Corp. and Juniper Networks Inc. representatives.

"It really doesn't matter where software is developed," said Dubhe Bienhorn, vice president of Juniper Federal Systems. "It is a process that requires very tight controls and very intense scrutiny."

Solomon defended his comments by saying software vendors see offshore development as "easy and cheap."

"Maybe my colleagues on this panel have (offshore) processes in place," he added. "A lot of companies don't."

Subcommittee chairman Adam Putnam, a Florida Republican, focused some of his questions on the patching process after software vulnerabilties are discovered. Asked by Putnam if the patching process and the alert process that accompanies it is working well, Scott Culp, senior security strategist for Microsoft, said he believes software vendors are working hard to notify government and private customers.

"We have a very active interest in making sure as many people as possible know about our mistakes and how to fix them," Culp said.

Putnam then asked if Culp was generally satisfied with the patch and alert process Microsoft has now. Culp answered that he's never satisfied. "I'd like to send out a lot fewer of those alerts," Culp said.

Putnam started the hearing by taking both private companies and government agencies to task for not moving fast enough to address continuing cybersecurity concerns. "As a nation, we have taken very dramatic steps to increase our physical security, but protecting our information networks has not progressed at the same pace, either in the public or in the private sector," Putnam said. "I remain concerned that we are collectively not moving fast enough to protect the American people and the U.S. economy from the very real threats that exist today ... The time for action is now."