Keeping Code Secure: Should Government Get Involved?

By Jennifer deJong

August 1, 2007 —

The application security market got a shot in arm earlier this summer when IBM announced plans to buy Watchfire, and Hewlett-Packard followed suit, declaring its intention to acquire SPI Dynamics. The entry of big players into a market made up of small startups is likely to boost the credibility of a message that application security toolmakers admit hasn’t yet fully taken hold: The key to keeping applications secure is writing code that is inherently harder to attack—not just blocking intruders at the network door.

That prompted SD Times to ask toolmakers whether a boost of another kind is in order: Should government specify standards for application security and serve as a certifying authority?

“There is nothing from government that says, ‘This is how you find out whether a Web site is secure.’ How is a consumer supposed to know?” said Cenzic vice president of marketing Mandeep Khera. “But how much can [government] mandate? And will the private sector listen?” he wondered.

Most of the toolmakers interviewed said government is highly unlikely to set such a standard, nor do they want it to do so. “I’d be shocked, and it would be very, very hard to do, because the making of software affects every industry,” said Fortify co-founder and chief technology officer Roger Thornton.

“I don’t think government should set a standard,” added SPI Dynamics co-founder and chief technology officer Caleb Sima. “They have lagged behind [the private sector] in application security.”

But many of the toolmakers said a government-sponsored public awareness campaign to make Web shoppers more security-savvy could help to hold Web retailers accountable for keeping credit card numbers safe.

“Government could take the message to the masses,” said Ounce Labs founder and chief technology officer Jack Danahy. “That would be hugely interesting.”

Emerging Effort
If either initiative materializes in the United States, it will come from the Department of Homeland Security Office of Cyber Security and Telecommunications, led by assistant secretary Greg Garcia. Asked in an e-mail message whether DHS intends to set a standard for application security and act as a certifying authority, Garcia did not respond.

Coverity president and CEO Seth Hallam believes DHS will set a standard for application security and that government needs to play the role of a certifying authority. “We need a government seal. Otherwise how do we know [which Web applications] are trustworthy?”

He said the seeds of an emerging standard are evident on Build Security In (buildsecurityin.uscert.gov/daisy/bsi/home.html), a DHS Web site that publishes secure coding guidelines for software developers. “The coding rules are a start,” said Hallam. He envisions that DHS will take the first steps in establishing a standard, then work with the private sector to iron out the specifics. IBM and HP will be among the first backers, lending credibility to the government effort, he said. Then the application security “up and comers” will follow suit.

IBM is expected to complete its acquisition of Watchfire by the end of September. HP has said it plans to finalize the SPI Dynamics deal in the same time frame.

A more likely way for DHS to get involved in the application security arena is by working with the toolmakers in that market to help promote best practices for secure coding, for both the private and public sectors’ organizations, said Cenzic’s Khera.

That is already happening. The Build Security In site was developed for DHS by the Software Engineering Institute at Carnegie Mellon University. But the Information Technology Association of America (ITAA) and the vendors that belong to the nonprofit trade organization also contributed to that effort, Khera noted.

Garcia worked for the ITAA, prior to assuming his role at DHS role last September.

Also likely to emerge from DHS is a mandate on procuring software used by government agencies. It will work much the way the disability standards that apply to software do, said Watchfire vice president of marketing David Grant. “The government says, ‘Have you passed 508?’” he noted, referring to the 1998 amendment to the Rehabilitation Act, which required federal agencies to make their electronic and information technology accessible to people with disabilities. “That will happen for security as well.”

Fortify’s Thornton said that while the application security toolmakers don’t necessarily need the government to promote security awareness among consumers, the government can’t possibly assure national security unless the private sector does its part. The biggest challenge for DHS, Thornton said, is getting companies in banking and transportation and other industries that are core to the U.S. economy to understand the possible security threats. “It’s not hackers. It’s Iran. It’s North Korea. [Those countries] may be looking to damage the system our economy depends on.”

Share this link: http://www.sdtimes.com/link/30989

Code Center update allows code approval grouping Building on Code Center's existing tracking features, Black Duck has added more flexibility in approving open-source components, and entire stacks of software can be approved from a business, coding and legal standpoint.

‘Your Code Looks Like My Code‘ Businesses look to legal counsel to protect homegrown code. But for open-source projects, calling in the lawyers is rarely the...

Should I Stay or Should I Indigo? The big news coming out of February’s VSLive conference in San Francisco was that Indigo, the service-oriented infrastructure that Microsoft...

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST