DOE pioneers strategy for secure software
The government's new SmartBuy enterprise licensing initiative could also become "safebuy" if a deal recently negotiated by incoming e-government chief Karen Evans serves as a model.
While serving as chief information officer at the Energy Department, Evans persuaded Oracle Corp. officials to sign an enterprisewide contract under which they will ship database software with DOE's preferred security settings already configured. Evans, other government officials and an Oracle representative discussed the deal at a forum last week.
"To be easy to install, a lot of security features are turned off" by default, said Evans, who has been picked to succeed Mark Forman as administrator of the Office of Management and Budget's Office of E-Government and Information Technology. Agency officials must configure security when they implement a system, which is a time-consuming task that risks incompatibilities and inconsistencies among components.
DOE created a document called the Oracle Database Security Benchmark Version 1.0 to standardize installations. Oracle agreed to ship systems already set to meet those standards. Evans said DOE's success offers a model that other agencies can duplicate, especially as SmartBuy, a governmentwide enterprise licensing program, takes effect.
"The revolutionary part isn't the obvious part," said Alan Paller, director of research at the SANS Institute, a security training firm in Bethesda, Md. "The obvious part is they're using their buying power to force the vendor to deliver safer software."
DOE's approach solves the challenge of securely updating software, Paller said.
"When you get a hot fix, it assumes that you have the software that they sold you," he said. "It often assumes that you have the same settings as it had when they sold it to you. And to make sure of that, they reset them. That's the problem that Karen solved. She said to Oracle, 'You're going to deliver us the safe version, and you're going to deliver hot fixes that don't turn [settings] off.'"
The Oracle security benchmark addresses other issues that many agencies must deal with, Paller said. Operating systems and applications often run other services that can leave systems unnecessarily vulnerable to attack. The benchmark allows those services to be shut off to boost system security.
"I carefully turn services off and clip the wires of other services, so those services, if they later get a vulnerability, won't bite me," he said.
The Oracle contract needs a few months to show its effectiveness, he said. If it does, however, it could be replicated throughout the government.
The use of a standard benchmark creates a risk that it won't be suitable for all agencies, but Paller said those conflicts could be easily solved. "It doesn't mean we as users can't make changes to it. We're back into the same problem, just on a much smaller scale."
Vendor cooperation will be necessary, he said. If vendors create a software configuration to conform to one agency's benchmark and then refuse to sell it as a product to other agencies, potential savings could vanish. "OMB can overcome that," he said.
The benchmark covers Oracle Database Versions 8i and 9i on Microsoft Corp. Windows and Unix operating systems, Evans said. It is a compilation of more than 250 security configuration recommendations.
DOE developed the benchmark with contributions from the Homeland Security Department, the National Security Agency, the General Services Administration and the Defense Information Systems Agency. The Center for Internet Security aided in the benchmark's development and is now working on a score card tool for agencies to use to assess if their systems comply with it.
"Every time we can raise the security bar, every time we can raise the awareness of people, we should recognize that," said Bob Lentz, director of information assurance at the Defense Department.
Lentz emphasized education and training. "You can't just drop these configuration guidelines and benchmarks into the laps of security administrators. You have to make sure they're trained adequately."
Under an agreement with the Energy Department, Oracle Corp. will ship the agency systems that:
* Monitor for and send alerts to warn of high-priority security incidents.
* Allow remote access only through an application gateway firewall that supports Oracle's network firewall proxy.
* Do not allow users to hard-code names and passwords into application code.
* Forbid applications to alter the database schema.
* Hide data used in test databases from the real database.