Companies faulted for shipping flawed software

Software companies should take a hint from clothing companies and include “inspected by” tags with their products, said Howard Schmidt, a former information security adviser to President Bush who is now eBay’s chief information security officer.

Schmidt said companies should offer software buyers a level of assurance that what they’re purchasing is secure. “Here are 87 conditions you have to test for, and we want a little slip in there so we can go back and say, ‘You did it,’ or ‘No, you didn’t.’”

Such an inspection system could help enforce consequences for software companies for not including adequate security, Schmidt said. Consequences could include withholding payment or not renewing contracts.

Schmidt spoke Aug. 25 in Washington, D.C., at an event sponsored by Fortify Software. The company sells information security software tools. Schmidt is a member of Fortify’s board of directors.

“We have to start getting to the root of the problem -– writing more secure code,” Schmidt said. Well-known software flaws such as buffer overruns are not found and removed before vendors ship the software, he said.

The Defense Department runs two software security programs, the Common Criteria Certification program and, in cooperation with the National Institute of Standards and Technology, the National Information Assurance Partnership. Neither program checks for security at the code level, Schmidt said. Removing code flaws needs to be part of the certification process, he said.

No excuse exists for not performing code checks for security, Schmidt said, adding that information assurance tools are more robust and easier to use than ever. “I’m beginning to believe that we can put a big dent in the number of vulnerabilities out there,” he said.

Government regulation could be a major force in driving computer companies to vet their products before selling them, said Roger Thornton, Fortify’s co-founder and chief technology officer.

“The federal government is afraid it doesn’t have influence on software companies,” Thornton said. But large companies are as motivated by government regulation as they are by bad press coverage when their products are compromised, he said. The federal government “will have a giant influence on the software industry.”

Government procurement regulations should include information assurance analysis, Schmidt said, adding that companies overseas are already starting to write contracts that require security checks of the software they buy.

Federal agencies can use their relationships with systems integrators to require a formal security assurance check as part of the contracting process, Thornton said.

The government has taken a major step to show that it takes cybersecurity seriously by promoting the Homeland Security Department’s national cybersecurity director position to the assistant secretary level, Schmidt said.

The new assistant secretary for cyber and telecommunications will help the private sector understand interdependencies among sectors and what they can do to mitigate risk, he said. The private sector will do most of the work, however, because it owns and operates 85 percent of the country’s critical infrastructure.