Companies faulted for shipping flawed software

Software companies should take a hint from clothing companies and include “inspected by” tags with their products, said Howard Schmidt, a former information security adviser to President Bush who is now eBay’s chief information security officer.

Schmidt said companies should offer software buyers a level of assurance that what they’re purchasing is secure. “Here are 87 conditions you have to test for, and we want a little slip in there so we can go back and say, ‘You did it,’ or ‘No, you didn’t.’”

Such an inspection system could help enforce consequences for software companies for not including adequate security, Schmidt said. Consequences could include withholding payment or not renewing contracts.

Schmidt spoke Aug. 25 in Washington, D.C., at an event sponsored by Fortify Software. The company sells information security software tools. Schmidt is a member of Fortify’s board of directors.

“We have to start getting to the root of the problem -– writing more secure code,” Schmidt said. Well-known software flaws such as buffer overruns are not found and removed before vendors ship the software, he said.

The Defense Department runs two software security programs, the Common Criteria Certification program and, in cooperation with the National Institute of Standards and Technology, the National Information Assurance Partnership. Neither program checks for security at the code level, Schmidt said. Removing code flaws needs to be part of the certification process, he said.

No excuse exists for not performing code checks for security, Schmidt said, adding that information assurance tools are more robust and easier to use than ever. “I’m beginning to believe that we can put a big dent in the number of vulnerabilities out there,” he said.

Government regulation could be a major force in driving computer companies to vet their products before selling them, said Roger Thornton, Fortify’s co-founder and chief technology officer.

“The federal government is afraid it doesn’t have influence on software companies,” Thornton said. But large companies are as motivated by government regulation as they are by bad press coverage when their products are compromised, he said. The federal government “will have a giant influence on the software industry.”

Government procurement regulations should include information assurance analysis, Schmidt said, adding that companies overseas are already starting to write contracts that require security checks of the software they buy.

Federal agencies can use their relationships with systems integrators to require a formal security assurance check as part of the contracting process, Thornton said.

The government has taken a major step to show that it takes cybersecurity seriously by promoting the Homeland Security Department’s national cybersecurity director position to the assistant secretary level, Schmidt said.

The new assistant secretary for cyber and telecommunications will help the private sector understand interdependencies among sectors and what they can do to mitigate risk, he said. The private sector will do most of the work, however, because it owns and operates 85 percent of the country’s critical infrastructure.


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.