Chris Wysopal and Jeff Rashka | Government IT security begins at app level

Chris Wysopal and Jeff Rashka

The federal government has poured millions of dollars into security-related software purchases and shoring up computer hardware infrastructure. Yet many federal agencies received failing grades in Federal Information Security Management Act compliance'and not much return for all that investment.

The root of the problem continues to lie in insecure software code. Vast amounts of software in use today require complex care, continuous patching, special secure configurations and an additional layer of security software.

According to Gartner Inc. and Symantec Corp., most business security vulnerabilities now occur at the application layer. There is great concern for the compromise of confidential financial and personal information retrieved off application databases and the possibility of subsequent lawsuits, which can be devastating to the reputation of the agency. The recent loss of data by the Veterans Affairs Department illustrates that only too well.

What is required? First, government IT managers need to shift their focus toward increasing security at the application layer. Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle. That includes security requirement definition, software design and development security standards, structured security testing techniques between phases and ongoing patch management.
Second, software development and test engineer staff need training so they can adhere to the new guidelines and standards.

In addition to homegrown software security changes, government needs to address problems with commercial off-the-shelf software. Commercial software vendors have been too willing to wait for outside researchers or end customers to find security problems and issue patches to fix them. Government customers are becoming overwhelmed with the hundreds of patches they must install and test each year, let alone with doing so in a timely manner, before damage can be done.

Software security testing is needed by COTS vendors on their products to prevent high-risk windows of vulnerability by identifying and fixing problems before they ship problematic software to the government and other customers.

What can government do? Government IT managers need to use their buying clout and demand that software vendors integrate security into their development process. Insist on understanding their processes and tools, and if the software is guarding financial data or other sensitive secrets, demand to see results of third-party validation of their security quality, or consider implementing a third-party security testing effort.

The marketplace is full of examples where quality standards are in place to protect the end consumer. Contracting trusted third-party organizations at the agency level to support software security testing would be a step in the right direction.

That won't relieve government IT managers from needing specially trained staff to identify problems with software prior to implementation. But the benefits of applying stronger standards, modifying the development lifecycle and performing software security tests would be widespread, saving costs and increasing real security at the application layer.

Chris Wysopal is CTO at Veracode (cwysopal@veracode.com). Jeff Rashka is chair for VERIFY 2006 Software Conference (www.effectivesoftwaretesting.com).

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above