Vendor recommends federal software security mandate

The Obama administration should require federal agencies to incorporate security features during software acquisition and development, a technology company recommended in a report released on Tuesday.

In addition, existing standards must be consolidated into a single, governmentwide software security mandate, San Mateo, Calif.-based Fortify Software Inc. advised President Obama's yet-to-be appointed chief technology officer in the report.

"When you look at government today, they're developing a huge amount of software and consuming a huge amount of software," said Robert Rachwald, director of product management at Fortify. "Software security is one of the most important [issues] that government should be worried about. It needs to be built in from the get-go. That's the approach we're calling for, with a central person singly responsible for ensuring that happens."

Chief information officers and chief information security officers lack the authority for this job, said Howard Schmidt, former White House cybersecurity adviser and chief executive officer of the nonprofit Information Security Forum. Fortify consulted with Schmidt on the recommendations.

"This needs to be an operational role, that has oversight of both the procurement and the technology," he said. "There is not a cut-and-paste job description already out there; there has not been the overarching person saying, 'This is how we do it,' who is part executive and part technologist."

The Homeland Security Department's Software Assurance Program is a potential model for reducing vulnerabilities and improving routine development and deployment processes, the report stated. Fortify also pointed to National Institute of Standards and Technology guidance for testing the effectiveness of software security tools, but noted it does not help make security a standard component of the software development cycle.

"The NIST guidelines are comprehensive, but more of a list and not a recipe for actual change," Rachwald said. "Developers just don't have a culture of security. Someone in management needs to step in and say, 'These things have to get done.' "

Agencies must hold third-party software vendors responsible for security and require them to document precautions taken during the development process, the report recommended. Agencies also should take an inventory of legacy software and cleanse applications of security issues or replace them with stronger code, Fortify advised.

In addition, Fortify recommended that agencies offer information technology employees comprehensive training on secure software development practices. The recommended enhancements could require more employees, the report stated, including application security experts and gatekeepers to establish security metrics and ensure compliance with standards.

"There needs to be a sense of urgency," Schmidt said. "What's going to be the wake-up call? We've had so many people hitting the snooze button so often, that you have to wonder when something is actually going to take."