A report released early this month by a task force within the Object Management Group outlines the standards needed to develop a consistent process for verifying the security of software sold to government agencies.The task force, which is composed of representatives from private-sector companies and government agencies, is part of a broader effort to ensure that software products used by the government meet consistent and defined security standards.“What the OMG is hoping to achieve in putting together these standards. is to have a formal way of measuring if software is trustworthy,” said Djenana Campara, co-chairman of the Architecture-Driven Modernization Task Force within the OMG.The standards will give vendors and software purchasers a consistent way to evaluate a system’s design robustness, reliability, process integrity and configuration controls, said Campara, who is also CTO of Klocwork Inc., a Burlington, Mass.-based vendor of vulnerability analysis software. Such a framework is crucial to allowing software suppliers and buyers to represent their claims and requirements along with a way to verify them, said Joe Jarzombek, director of software assurance at the National Cyber Security Division of the U.S. Department of Homeland Security.“When vendors make claims about the safety, security and dependability of products, what is the standard by which they are making those claims and what are the minimum levels of evidence” that are needed? he asked. “The reason to have a standard is it tells you, Here’s how you can make a claim, here are the attributes we are looking for, and here are the things you need to include when making a claim,” he said. Having a process for enabling security verification is becoming important because of the increasing complexity of software systems, their growing interconnectedness and the globalization, of software developers, Campara said.Government systems that are used for national security purposes already need to go through a Common Criteria Certification process to determine whether they meet security requirements. OMG’s framework — which still has to go through a long approval process — will give another option to agencies that are not mandated to use the Common Criteria process, Jarzombek said.In addition, a systems and software assurance standard that’s being finalized by the International Standards Organization (ISO/IEC 15026) will also give government agencies a standard they can use for assessing software security sometime next year, he said. The ISO standard is focused on the management of risk and assurance of safety, security and dependability of systems and software, he added.By Jaikumar Vijayan – Computerworld (US online) Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe