William Jackson | Focus on the data
- By William Jackson
- Mar 26, 2007
A panel of current and former federal officials discussed IT security at a symposium last week, and, surprisingly, there was little more than a passing reference to regulatory compliance.
Instead of FISMA requirements, the panel, hosted by Watchfire Inc., talked of the need to bake security into software being developed for government Web applications.
'Developers focus on functionality and don't always consider security,' said Mark Brown, deputy chief information security officer at the Health and Human Services Department. 'At HHS, we're beginning to take a deeper look at the concept of security in depth.'
On the surface, there is nothing shocking in this. The vulnerability of Web applications to malicious exploits is well-known, and there have been calls for years to build security into the software development process. Microsoft instituted its secure software development lifecycle five years ago, and the first major release under this program, the Windows Vista operating system, appears to be a step forward in security because of it.
What makes this panel surprising is that discussions of federal IT security have for years dwelt on the Federal Information Security Management Act, which sets out requirements for assessing and managing risk to IT systems. Since its inception, there have been complaints that FISMA is a paperwork exercise that distracts administrators from the job of securing networks. But to be honest, FISMA's effectiveness until now has been limited by the fact that the final standards and controls have only been completed in the last year. Over the next year or two, we should have a better idea of whether FISMA really contributes to improved security or is merely a distraction.
But Brown, at least, seems to think the FISMA controls specified by the National Institute of Standards and Technology will help.
'The robust implementation of NIST controls is critical' to security, he said during the panel discussion.
This seems to be part of a healthy trend toward thinking of security in terms of goals rather than point solutions. Those responsible for security are paying more attention to the software that stores and handles data than to the networks that move it. The trend is new enough that the coders writing the software still have not made security a top priority. Their job is to make sure software works and to get it into production as quickly as possible. The bugs can be worked out later as vulnerabilities crop up.
Web applications offer a particular security challenge, because they are gateways that bring outside users and back-end resources together. A hacker exploiting a vulnerability in a Web application may be able to bypass all the perimeter protection on the network and get right to the data. And those vulnerabilities are being more commonly exploited as the Web becomes more important as a way of delivering services and accessing resources.
'Most Web applications are very vulnerable,' said Daniel McClure, vice president for government IT management at Gartner Inc. 'They seldom undergo the kind of testing we would like to see.'
The HHS strategy outlined by Brown for creating defense in depth focuses on processes rather than technology. In addition to implementing the NIST controls required by FISMA, it includes building security into the development lifecycle, with standards for development and configuration; incorporating risk management into business processes; and developing an anomaly detection strategy for spotting possibly malicious activity before signatures are available.
The traditional security tools such as firewalls, antivirus engines, and other filtering and detection devices remain necessary, and merely coming up with a new strategy does not ensure that security at HHS or any other agency will improve. But recognizing the importance of goals and processes is a necessary first step in moving security beyond static point-based devices and protecting the data that resides on our systems.
William Jackson is a Maryland-based freelance writer.