Former US cyber security Czar Andy Purdy is warning that globalisation, which is driving companies to pursue talent and lower costs around the world, has turned software development into a national security issue.
The former cyber security acting director at the US Department of Homeland Security (DHS) believes the global nature of software development is a concern.
“Companies are looking for the least expensive source of production, but there isn’t enough concern about the security of these networks and the data being stored on them,” he said at the AusCERT 2007 IT security conference, held on Australia’s Gold Coast last month.
“If the software is being developed in a part of the world that poses a risk we need to address this.”
Earlier this year Purdy formed DRA Enterprises, a consulting firm specialising in software assurance.
He also serves as a special government employee on the US Department of Defence Science Board Task Force on Software Assurance.
In this role he is seeking to raise the bar when it comes to software quality and is working with both the government and the private sector to increase collaboration. “Most software development practices focus on efficiencies not vulnerabilities,” he told conference delegates.
In his address on the cyber risk of untrustworthy software from the globalisation of information technology, Purdy called on delegates to support the Department of Homeland Security’s Software Assurance Programme, which aims to reduce software vulnerabilities.
“It has to be an international collaboration,” he stressed.
He referred to Cyberstorm as an example of effective international collaboration. Cyberstorm involved a series of cyber war games with simulated attacks and has included a number of countries including Australia, the US and Canada. New Zealand will participate in next year’s exercise. Governments and critical infrastructure owners also participated.
“Cyberstorm was an important private and public sector effort,” he said, adding that at the conclusion of the event when the results were assessed one government intelligence agency simply said “We’re doomed”. Purdy refused to identify the agency.
Surprisingly, he praised the software vendor community claiming it recognised the importance of software quality and is taking the necessary steps to get its house in order.
“We need the private sector to put pressure on governments and developers and we need to promote secure methodologies and tools,” Purdy said adding that the DHS is creating an assurance framework.
“Government should leverage its purchasing power when buying software to increase quality and the private sector needs to improve their own in-house development processes.
“This means incorporating security into the software development lifecycle process.” Purdy said the programme is targeting four areas: people; processes; technology; and acquisitions.
As part of the programme, guidelines will be developed around outsourcing and offshore software development.
A draft guide was released on May 17 and a common dictionary of software weaknesses is also being developed.
“We have to stop being reactive when it comes to software vulnerabilities because when you look at where we are today it is a pretty bleak picture,” Purdy said adding that nine out of 10 businesses in the US were affected by cyber crime last year. While the media attended most of the AusCERT presentations, a closed session was held that was strictly limited to delegates. Computerworld has learned the session covered international cyber crime rings and was presented by FBI and US Secret Service employee Mark Grantz. Another session closed to media was a presentation by ANZ Bank information security consultant Stanislav Filshtinskiy on the cyber criminal economy.