WASHINGTON -- U.S. government agencies need to better understand the vulnerabilties of the software they're buying, said IT workers from several government agencies during a software assurance forum in Washington, D.C., this week.
The forum, sponsored by the Department of Defense (DOD) and the Department of Homeland Security (DHS), was the first step in a long-term discussion between government agencies and vendors on how to create more secure software, said Joe Jarzombek, deputy director for software assurance in the DOD Information Assurance Directorate.
Prompting the forum was "a growing awareness of the fact that we've got a lot of vulnerabilties in the software we're acquiring," said Jarzombek, one of the event's organizers.
A major concern among government IT workers is a need to understand how and where software is developed. In many cases, software used by government agencies is developed by outsourced workers, Jarzombek said, and government purchasers need to know that information. "We are essentially inheriting risks we don't know about," he said. "We need to better understand those risks. When we put software into our network we are placing an agent of whatever company developed it on our networks."
Jack Danahy, chief executive officer of Ounce Labs Inc., compared the software defense agencies buy to the employees they hire. Government agencies can run background checks on employees, he noted. "There is no means to get (security) clearance for an application," he said. "You never get to do a background check."
The two-day meeting, closed to reporters, was attended by about 230 people, including employees of the Federal Bureau of Investigation, State Department and Central Intelligence Agency. Microsoft Corp. and Oracle Corp. were among the software vendors represented.
Danahy, who moderated a panel discussion on vendors and agencies working more closely together, said the forum showed an interest from government agencies to become more active in purchasing decisions. "It was very clear that software assurance was top of the mind for these people," Danahy said. "The software companies recognize that everything they do is going to help, but this problem is by no means close to being solved."
Software developers should expect more security demands from customers in the near future, added Mike Rasmussen, principal analyst Forrester Research Inc. Government agencies are under pressure from Congress to improve their cybersecurity, and agencies are moving toward making more security demands of software vendors.
"Is it happening across the board? No, not at this point," Rasmussen said. "But I see a big interest."
A second software assurance forum is planned for February.
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »
A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
Recommend This
