[ISN] From layers to assurance

InfoSec News isn at c4i.org
Tue Feb 22 09:14:19 EST 2005


By Florence Olsen 
Feb. 18, 2005

SAN FRANCISCO - The problem of securing software continues to
preoccupy Homeland Security Department and Defense Department
officials, many of whom say the commonly used "layered defense"  
against insecure and malicious applications is not working.

Layered-defenses rely on security measures added to each level through
which data passes, including networks, systems and applications.  
However, that approach "is riddled with holes," said Joe Jarzombek,
the Pentagon's deputy director for software assurance. A better
approach, said Jarzombek and others who spoke here at the RSA
Conference, may be to spend more on software assurance testing and
better training — perhaps even mandatory certification — of software

"We want to shift the paradigm from patch management to software
assurance," said Hun Kim, deputy director for policy and strategic
initiatives at DHS' National Cyber Security Division.

Government interest in secure software extends beyond DHS and DOD to
Capitol Hill, Jarzombek said.

As part of a new Software Assurance Initiative at DHS, department
officials are working with members of the Institute of Electrical and
Electronics Engineers to collect the best available knowledge of
secure software development, Kim said. DHS and IEEE will then make it
available free to colleges and universities for developing new courses
in software assurance.

Another aspect of the software initiative, Kim said, will be to help
acquisition officials buy secure software using DHS-developed
standards, specifications and acquisition language for software

Kim said he hopes that everything achieved through the DHS program
will have far-reaching benefits. "We're trying to raise the level of
software assurance for the nation, not just DHS," he said.

DOD officials, who are working with National Security Agency officials
on a variety of similar initiatives, said the lack of software
assurance warrants more attention and funding than it has received.  
Some software products are attacked or infiltrated with malicious code
even before they are shipped, Jarzombek said.

One aspect of NSA's software assurance program is investigating how
software products, especially commercial products, are built. DOD's
software consumers know little about "who is doing the code and what
is in the code," said Daniel Wolf, director of the Information
Assurance Directorate at NSA.

Lawmakers are concerned about the outsourcing of software coding
overseas, but the same problem exists with domestic outsourcing, said
Ron Moritz, senior vice president and chief security strategist at
Computer Associates, which makes software security products. "There's
no difference whether you're outsourcing to Virginia or offshore if
you don't have mechanism to understand what you're getting back," he

Software assurance testing such as NSA officials conduct through a
program known as the National Information Assurance Partnership is a
proven way to improve the quality and trustworthiness of software,
Wolf said. Software company officials have criticized NIAP as too
time-consuming and expensive, but it has nevertheless improved
software security, Wolf said.

NIAP personnel have found that between 35 percent and 45 percent of
the products submitted for evaluation have security problems, which
the vendors then fix, Wolf said. "We've also seen products disappear
from the market" after an evaluation, he said.

But primarily because the NIAP program has drawn considerable
criticism, DHS officials have commissioned the Institute for Defense
Analyses to review it, Kim said.

In addition to more rigorous software assurance testing, employee
training and certification may finally get the attention they deserve,
said Robert Lentz, director of the Information Assurance Directorate
at DOD. Employees who operate military networks are not certified for
that responsibility, but Pentagon officials are going to change that,
he added.

Some officials interested in software assurance think it might be a
good idea if software developers had to certify their work and be held
liable if software is faulty or unsafe. In disciplines such as
mechanical and civil engineering, engineers must certify that a bridge
they have built is safe, Wolf said. "Should we do the same in
software? Where's the accountability?"

Accountability, he said, should be more than a coupon for the next
software release.

More information about the ISN mailing list