Taking software seriously

Richard Clarke, President Bush's cybersecurity czar, recently unleashed a verbal barrage on the software industry. "It's no longer acceptable that we can buy software — and run software on sensitive systems — that is filled with glitches," he said. He's absolutely right.

Even before Sept. 11, Clarke warned that our enemies would use our technology against us, and software products are no exception. Certainly, software that is built without attention to information assurance principles is inherently insecure, leaving our national cyber assets easily vulnerable to an attack.

Not all software companies take a lax approach to security, and those that build security into the software development process, rather than bolting it on through patches, provide better products. Many of those companies also go the extra step and invest in having their software tested against internationally recognized information assurance standards, such as the Common Criteria.

If more customers insisted on independently validated products, software companies would have no choice but to listen.

The federal government — the single largest buyer of commercial off-the-shelf software products — can change the marketplace for the better by demanding independently evaluated products. The Defense Department, for one, is developing a policy that would require the Pentagon to buy only commercial information assurance software that has passed independent security evaluations. This is an important first step. The next step is to enforce this policy consistently.

Strong enforcement has clear benefits. First, and most obviously, we'll have more secure products. If vulnerabilities are found during an independent evaluation, they must be fixed. No fix, no evaluation certificate.

Second, more software companies will build security into their products. Security evaluations force software companies to change their development processes for the better because it is largely the development process that is scrutinized during such evaluations.

Third, we'll cure the disease of lax security. As more and more companies go through evaluations each year, security will be built into their corporate DNA.

Clarke delivered the right message to software companies: When it comes to security, it's time to chirp or get off the twig.

Previous attempts by the federal government to implement tough information assurance policies during the past decade have failed largely because of rampant, indiscriminate use of waivers, which sent many software companies the message that the government wasn't serious about securing information systems.

The federal government, starting with DOD, can bolster Clarke's message by insisting that the procurement rules for secure software will be followed to the letter. It's time to show software companies that their biggest customer is serious about security.

Davidson is chief security officer at Oracle Corp. in Redwood Shores, Calif.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected