Report: Government should adopt industry best practices in securing software

The tools, technology and techniques now exist to ensure that software is developed securely, but intruders still are compromising government information technology systems through known flaws because there is no comprehensive program to address these vulnerabilities, according to two security professionals.

Software assurance is a necessary step toward securing government systems, according to former White House security adviser Howard A. Schmidt.

“There are some really strong advocates and people who are doing it in government,” said Schmidt, now chief executive officer of the Information Security Forum Ltd. “But these are pockets. There is not the sense of urgency in making significant cultural changes.”

Schmidt was supporting the call by Fortify Software, a vendor of software-assurance tools, for a governmentwide program to focus on development and acquisition of secure software. A report released today by Fortify outlines best practices already being used by industry to build security into software. The appointment of a federal chief technology officer by President Obama offers an opportunity for government to adopt these best practices across the board, Fortify says.

“This new ‘culture of security’ should address software that is contracted, outsourced, [software as a service] or open-source code, as well as internally developed, and require a reallocation of resources and even a new way of thinking,” says the report, titled “Building In Security In Government Software.”

Schmidt said that, despite laudable goals, the Federal Information Security Management Act (FISMA) has not managed to solve security problems. But if FISMA has done nothing else, it has helped to identify the problem, said Fortify’s founder and chief scientist Brian Chess.

“We not only know it’s a problem, we know it’s a solvable problem and we know a lot about how to solve it,” Chess said.

The government report grew out of a broader study published earlier this year by Fortify and Cigital Inc. that identified a maturity model for building secure software. It looked at the practices used by a number of organizations with effective software-assurance programs and identified a set of benchmarks for an enterprisewide software-security program.

“They don’t all do the same thing,” said Chess, one of the authors of the maturity model. “But we think you can do a good job of describing what they are doing within this model.”

Companies studied included Adobe, EMC, Google, Qualcomm, Wells Fargo, and the Depository Trust and Clearing Corp., as well as Microsoft Corp., where Schmidt headed the Trustworthy Computing Security Strategies Group when the initiative was launched in 2002.

The software security framework identified in the maturity model included 12 practices organized under four domains:
  • Under Governance are practices that help organize, manage and measure a software security initiative: Strategy and metrics, compliance and policy, and training.
  • Under Intelligence are practices produce the corporate knowledge needed to carry out software activities: Attack models, security features and designs, and standards and requirements.
  • Under Software Security Development Lifecycle are specific development artifacts and processes: Architecture analysis, code review, and security testing.
  • Under Deployment are practices that work with traditional network security and software maintenance activities: Penetration testing, software environment, and configuration and vulnerability management.
The report released today cites a number of government examples of software-assurance programs within the Homeland Security Department and the National Institute of Standards and Technology, and recognizes the Air Force Software Assurance Center of Excellence as a model government initiative. But despite these efforts and the private sector programs, best practices are not being applied consistently across government. According to some estimates as much as 98 percent of successful intrusions of government systems are due to known software vulnerabilities.

The report makes five broad recommendations for agencies:
  • Organize for secure software development by appointing an accountable leader; a technical expert to oversee processes, technology and staffing; and a gatekeeper responsible for risk-based security processes and metrics.
  • Implement preventive rather than operational security standards, with a proactive model for developing and acquiring secure software.
  • Define a secure acquisition process spelling out what is expected from developers.
  • Conduct comprehensive training for managers and developers.
  • And finally, cleanse legacy systems.
Such a program would take time to produce results, Chess and Schmidt said.

“You’re talking about years to effect wide-scale change,” Chess said.

“I’m looking at about a five-year window to see a substantial change,” produced by development and adoption of good software, Schmidt said. “But you’ve got to start. You’re not going to get to that five-year point if you don’t start.”

Schmidt said President Obama has demonstrated an understanding of the power and use of information technology and of the importance of security that makes him optimistic that a governmentwide software assurance program could now succeed.

“Now we have a chance,” he said. “I feel more confident about it than I have for a long, long time.”

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • open doors to cloud (Sergey Nivens/

    New vendors join FedRAMP Connect

Reader Comments

Tue, Apr 21, 2009 pt

What best industry practices? I've seen private sector companies (blue chip) spend millions on new software and end up losing millions in business because the software doesn't pan out. Let's not get full of ourselves.

Mon, Apr 13, 2009

I have to say that this just sounds like a bit of self-serving PR for Fortify Software. Really, the gov writes very little software anymore, after years of push for OTS. What gets breached? Commercial web servers, commercial databases, MS Windows, etc. Should the feds start from scratch now, and write their own OS, db, servers, web2.0 apps and all?

Fri, Apr 10, 2009 R

I wholeheartedly concur that the government needs to adopt SwA... however it won't happen until it is legislated and/or included in organizational regulations. One of the first places that needs reform is acquisition regulations -- statements of work and/or requirement documentation needs to include SwA related procurement language.

Wed, Apr 1, 2009

I believe this is something that is critical and nmeeds to be explained more to technical and non technical senior level decision makers. We need to get security built into everything we do and this includes software developed and purchased.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group