U.S. government agencies need to better understand the vulnerabilties of the software they’re buying, said IT workers from several government agencies during a software assurance forum in Washington, D.C.
The forum, sponsored by the Department of Defense (DOD) and the Department of Homeland Security (DHS), was the first step in a long-term discussion between government agencies and vendors on how to create more secure software, said Joe Jarzombek, deputy director for software assurance in the DOD Information Assurance Directorate.
Prompting the forum was “a growing awareness of the fact that we’ve got a lot of vulnerabilties in the software we’re acquiring,” said Jarzombek, one of the event’s organizers.
A major concern among government IT workers is a need to understand how and where software is developed. In many cases, software used by government agencies is developed by outsourced workers, Jarzombek said, and government purchasers need to know that information. “We are essentially inheriting risks we don’t know about,” he said. “We need to better understand those risks. When we put software into our network we are placing an agent of whatever company developed it on our networks.”
Jack Danahy, chief executive officer of Ounce Labs Inc., compared the software defense agencies buy to the employees they hire. Government agencies can run background checks on employees, he noted. “There is no means to get (security) clearance for an application,” he said. “You never get to do a background check.”
The two-day meeting, closed to reporters, was attended by about 230 people, including employees of the Federal Bureau of Investigation, State Department and Central Intelligence Agency. Microsoft Corp. and Oracle Corp. were among the software vendors represented.
Danahy, who moderated a panel discussion on vendors and agencies working more closely together, said the forum showed an interest from government agencies to become more active in purchasing decisions. “It was very clear that software assurance was top of the mind for these people,” Danahy said. “The software companies recognize that everything they do is going to help, but this problem is by no means close to being solved.”
Software developers should expect more security demands from customers in the near future, added Mike Rasmussen, principal analyst Forrester Research Inc. Government agencies are under pressure from Congress to improve their cybersecurity, and agencies are moving toward making more security demands of software vendors.
“Is it happening across the board? No, not at this point,” Rasmussen said. “But I see a big interest.”
A second software assurance forum is planned for February.