Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

By Scott Berinato

Page 7

"They have to be demanding. If customers don't make security a basic criteria, they lose their right to complain in a lot of ways when things go bad," she says.

At the bank, the security officer says, is a running list of vendors that are "certified"that is, they've successfully met the application security criteria by going through the formal process. The list is incentive for vendors to clean up their code, because if they're certified, they have an advantage over those that aren't the next time they want to sell software. Vendors, he says, "have either gone broke trying to satisfy our criteria, or they run through the operation pretty well. A few see what we demand and just run away. But there doesn't seem to be any middle ground."

The government is taking an active role. The image of the government in security is that of a clumsy organization tripping over its own red tape. But right now, at least in terms of application security, the government is a driving force, and the government's efforts to improve software are making a joke of the private sector.

In fact, no industry has been more effective in the past year at pushing vendors into security or using its clout (often, that comes in the form of regulation) to effect change.

At the state level, legislatures have collectively ignored the Uniform Computer Information Transactions Act (UCITA), a complex law that would in part reduce liability for software vendors (most major vendors have backed UCITA).

Federally, money has poured into the complex skein of agencies dealing with critical infrastructure protection, which has taken on a life of its own since 9/11. Equally important but not as well publicized, the feds fully implemented in July the National Security Telecommunications Information Systems Security Policy no. 11, called NSTISSP (pronounced nissTISSip), after a two-year phase-in. The policy dictates that all software that's in some way used in a national security setting must pass independent security audits before the government will purchase it.

The government has for more than a decade tried to implement such a policy, but it has been put off. Vendors have routinely been able to receive waivers through loopholes in order to avoid the process. The July move is considered a line in the sand. With national security on everyone's mind, experts believe waivers will be harder to come by. The Navy is telling kvetching vendors to use NSTISSP no. 11 as a way to gain a competitive advantage. At any rate, products will have to be secured, or the government won't buy them. Like GE's contract, this makes software better for everyone.