Taking software seriously

Richard Clarke, President Bush's cybersecurity czar, recently unleashed a verbal barrage on the software industry. "It's no longer acceptable that we can buy software — and run software on sensitive systems — that is filled with glitches," he said. He's absolutely right.

Even before Sept. 11, Clarke warned that our enemies would use our technology against us, and software products are no exception. Certainly, software that is built without attention to information assurance principles is inherently insecure, leaving our national cyber assets easily vulnerable to an attack.

Not all software companies take a lax approach to security, and those that build security into the software development process, rather than bolting it on through patches, provide better products. Many of those companies also go the extra step and invest in having their software tested against internationally recognized information assurance standards, such as the Common Criteria.

If more customers insisted on independently validated products, software companies would have no choice but to listen.

The federal government — the single largest buyer of commercial off-the-shelf software products — can change the marketplace for the better by demanding independently evaluated products. The Defense Department, for one, is developing a policy that would require the Pentagon to buy only commercial information assurance software that has passed independent security evaluations. This is an important first step. The next step is to enforce this policy consistently.

Strong enforcement has clear benefits. First, and most obviously, we'll have more secure products. If vulnerabilities are found during an independent evaluation, they must be fixed. No fix, no evaluation certificate.

Second, more software companies will build security into their products. Security evaluations force software companies to change their development processes for the better because it is largely the development process that is scrutinized during such evaluations.

Third, we'll cure the disease of lax security. As more and more companies go through evaluations each year, security will be built into their corporate DNA.

Clarke delivered the right message to software companies: When it comes to security, it's time to chirp or get off the twig.

Previous attempts by the federal government to implement tough information assurance policies during the past decade have failed largely because of rampant, indiscriminate use of waivers, which sent many software companies the message that the government wasn't serious about securing information systems.

The federal government, starting with DOD, can bolster Clarke's message by insisting that the procurement rules for secure software will be followed to the letter. It's time to show software companies that their biggest customer is serious about security.

Davidson is chief security officer at Oracle Corp. in Redwood Shores, Calif.