WASHINGTON -- U.S. government agencies need to better understand the vulnerabilties of the software they're buying, said IT workers from several government agencies during a software assurance forum in Washington, D.C., this week.
The forum, sponsored by the Department of Defense (DOD) and the Department of Homeland Security (DHS), was the first step in a long-term discussion between government agencies and vendors on how to create more secure software, said Joe Jarzombek, deputy director for software assurance in the DOD Information Assurance Directorate.
Prompting the forum was "a growing awareness of the fact that we've got a lot of vulnerabilties in the software we're acquiring," said Jarzombek, one of the event's organizers.
A major concern among government IT workers is a need to understand how and where software is developed. In many cases, software used by government agencies is developed by outsourced workers, Jarzombek said, and government purchasers need to know that information. "We are essentially inheriting risks we don't know about," he said. "We need to better understand those risks. When we put software into our network we are placing an agent of whatever company developed it on our networks."
Jack Danahy, chief executive officer of Ounce Labs Inc., compared the software defense agencies buy to the employees they hire. Government agencies can run background checks on employees, he noted. "There is no means to get (security) clearance for an application," he said. "You never get to do a background check."
The two-day meeting, closed to reporters, was attended by about 230 people, including employees of the Federal Bureau of Investigation, State Department and Central Intelligence Agency. Microsoft Corp. and Oracle Corp. were among the software vendors represented.
Danahy, who moderated a panel discussion on vendors and agencies working more closely together, said the forum showed an interest from government agencies to become more active in purchasing decisions. "It was very clear that software assurance was top of the mind for these people," Danahy said. "The software companies recognize that everything they do is going to help, but this problem is by no means close to being solved."
Software developers should expect more security demands from customers in the near future, added Mike Rasmussen, principal analyst Forrester Research Inc. Government agencies are under pressure from Congress to improve their cybersecurity, and agencies are moving toward making more security demands of software vendors.
"Is it happening across the board? No, not at this point," Rasmussen said. "But I see a big interest."
A second software assurance forum is planned for February.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Applications Resource Alerts
Recommend This
