DHS debuts Energy Star-like system for software security
Ratings will help agencies weed out products with vulnerabilities, and would give companies a financial incentive to take safety measures.
The Homeland Security Department and consulting firm Mitre Corp. on Monday unveiled a system for rating the protection of software products to help agencies, contractors and consumers ensure they are buying safe technology, in the same way the Energy Star labeling program helps guarantee eco-friendly purchases, DHS officials said.
The scoring reflects the degree to which software offerings defend against the most common programming flaws -- which are widespread in agency systems as noted by a recent audit of Internal Revenue Service databases. Last week, the Treasury Department inspector general released a report that found software housing taxpayer information is not always protected against attacks.
One of the IG's recommendations called for the IRS chief technology officer to "ensure a thorough technical product evaluation . . . is consistently conducted and documented for the acquisition of software products." This is exactly what the new Common Weakness Scoring System will do, said Alan Paller, research director for the SANS Institute, a computer security think tank that has endorsed the metrics..
"You would demand in your procurement document that the creator supplies you with the scores," which would range from, perhaps, one to 100, he said. The idea is that companies selling software and cloud services, or online applications that third parties operate remotely for customers, would then have a financial incentive to build high-scoring products.
Today, agencies have no consistent way to assess whether the software and online services they are considering for purchase are likely to withstand hacks and viruses. The most common coding mistakes include neglecting to restrict user access encrypt sensitive data and validate data entering the system, according to a list of the 25 most dangerous software errors that Mitre released in conjunction with the new metrics.
With security benchmarks, federal contractors that build software and agencies that buy software will have verification that serious defects have been eliminated, Paller said.
DHS officials said the scoring technique is the result of a public-private partnership called the Software Assurance Program that is working to develop practical guidance and tools for securing software. The team also is collaborating on software research and development to prevent basic programming errors and ensure systems remain protected when portions of their software are compromised.
In last week's IRS review, Michael R. Phillips, deputy IG for audit at the Treasury Inspector General for Tax Administration, wrote that, at a time when all federal databases are increasingly being targeted by hackers, "disgruntled insiders or malicious outsiders can exploit security weaknesses over databases and may gain unauthorized access to taxpayer data, resulting in identity theft or fraud."
The report found that some software had not received the latest bug fixes, as well as other vendor support. In addition, the agency was not running appropriate vulnerability scans on all databases.
Paller noted most federal databases contain such weaknesses, and that IRS may not be in any worse shape than other agencies. "The IG has shined a light on mistakes that every agency makes," he said.
In an April memo responding to a draft report, IRS officials agreed to follow the IG's recommendations for improving security, including the software purchasing advice. IRS Chief Technology Officer Terrance V. Milholland wrote that by September the agency will require personnel follow new product selection guidance to evaluate software specifications and test key functions before buying any new software.
The scoring system unveiled Monday is not mandatory for agency or commercial software development, or for federal procurement.
The metrics are separate from a federal cloud certification program called FedRAMP -- which is expected to be finalized this summer -- to make sure Web-based services meet government information security criteria.