Agencies need to protect systems from software vulnerabilities that compromise availability, integrity and security.
Software quality does not happen by accident; neither does security.
Security must be an integral part of software design and code specifications so that federal agencies have appropriate levels of cyber resilience and assurance to protect weapon systems and IT environments from cyber threats.
Software applications are easily exploitable by adversaries, because many organizations are not applying the proper measures and due diligence to discover and patch vulnerabilities, especially prior to use. Agencies must protect systems from both software vulnerabilities and unintended software processing that compromise availability, integrity and other security properties.
That’s the message government and industry representatives attempted to drive home at the recent CISQ IT Risk Management and Cybersecurity Summit held in Reston, Va., in conjunction with the Object Management Group’s Technical Meeting. The Consortium for Software Quality (CISQ) is an IT industry group working to introduce a computable metrics standard for software quality and size.
“There is much more work that can be done in cybersecurity in [software] development,” said Michael Gilmore, director of operational test and evaluation with the Office of the Secretary of Defense. DOT&E conducts operational testing to assure that military services’ field weapons work in combat, which is as serious a threat to military forces as the air, land, sea, and undersea threats.
Recent DOT&E testing revealed exploitable cyber vulnerabilities that earlier technical testing could have mitigated, including unnecessary network services or system functions, as well as misconfigured, unpatched or outdated software as well as weak passwords, Gilmore said.
“When we do cybersecurity assessments, we get in almost every time,” Gilmore said. What’s more, DOT&E’s red team, which penetrates an organization's digital infrastructure to test an agency’s defenses, doesn’t have to use sophisticated methods to penetrate DOD networks, Gilmore said. “In our view, [the agencies] didn’t need to wait until DOT&E found security issues, [the flaws] could have been found during software development.”
Cyber hygiene reduces risks
Data suggests that 80 percent of exploitable vulnerabilities are the result of poor or no cyber hygiene, according to Bob Dix, VP of policy for Juniper Networks and a former staff director with the House Oversight and Government Reform Committee. “If we were successfully installing effective patch management programs, configuration management programs and software update programs, we would raise the bar of protection dramatically,” said Dix, who also spoke at the summit.
Joe Jarzombek, with the Department of Homeland Security also acknowledged the need for better cyber hygiene, especially in the development of software applications.
The keys to software assurance are quality, safety and security, Jarzombek said. Quality focuses on identifying unintentional defects in software component or system integrity. Safety manages the consequences of those defects, while security addresses intentional actions that target exploitable constructs, processes or behaviors. Many organizations are not handling these well today, he said.
An even bigger challenge is that most software is composed of open source and reused components laden with known vulnerabilities. This has huge implications for organizations that use globally sourced technology with varying levels of acquisition due-diligence and a lack of transparency in the process chain of custody. Multiple disparate and sourced modules constructed into one software system pose a tough challenge, especially at the integration points between components.
That is why CISQ is working on a specific standard for evaluating source code to help developers find and mitigate actual vulnerabilities and weaknesses in software at the structural and code levels. It also helps software and business managers measure the level of quality and cyber hygiene in their software.
“The goal is to make structural quality as important as functional quality,” said Bill Curtis, executive director of CISQ.
CISQ also developed an automatable source code measure to track overall quality and security hygiene and predict the vulnerability of source code to unwanted intrusions. It assesses software at the code and architectural levels where the trickiest and most exploitable vulnerabilities lie.
The bottom line is that security should be considered as part of an ecosystem. Firewalls can stop some cyber threats but are not effective on spear-phishing or insider threats. “Ultimately, we will all be compromised,” a DHS source warned. So agency IT managers need to focus mitigating that risk – what is known as cyber resilience.