Globalization has made software development a national security issue

Expert says the global nature of software development is a concern

Former US cyber security tsar Andy Purdy this week warned that globalization, which is driving companies to pursue talent and lower costs around the world, has turned software development into a national security issue.

The former cyber security acting director at the US Department of Homeland Security (DHS) believes the global nature of software development is a concern.

"Companies are looking for the least expensive source of production, but there isn't enough concern about the security of these networks and the data being stored on them," he said.

"If the software is being developed in a part of the world that poses a risk we need to address this."

Earlier this year Purdy formed DRA Enterprises, a consulting firm specializing in software assurance.

He also serves as a special government employee on the US Department of Defense Science Board Task Force on Software Assurance.

In this role he is seeking to raise the bar when it comes to software quality and is working with both the government and private sector to increase collaboration.

"Most software development practices focus on efficiencies not vulnerabilities," he told delegates at the AusCERT 2007 IT security conference.

In his address on the cyber risk of untrustworthy software from the globalization of information technology, Purdy called on delegates to support the Department of Homeland Security's Software Assurance Program, which aims to reduce software vulnerabilities.

"It has to be an international collaboration," he stressed.

He referred to Cyberstorm as an example of effective international collaboration. Cyberstorm involved a series of cyber war games with simulated attacks and included a number of countries including Australia, the US and Canada. Governments and critical infrastructure owners participated.

"Cyberstorm was an important private and public sector effort," he said adding that at the conclusion of the event when the results were assessed one government intelligence agency simply said "we're doomed".

Purdy refused to identify the agency.

Surprisingly, he praised the software vendor community claiming it recognized the importance of software quality and is taking the necessary steps to get their house in order.

"We need the private sector to put pressure on governments and developers and we need to promote secure methodologies and tools," Purdy said adding that the DHS is creating an assurance framework.

"The government should leverage its purchasing power when buying software to increase quality and the private sector needs to improve their own in-house development processes.

"This means incorporating security into the software development lifecycle process."

Purdy said the program is targetting four areas: people; processes; technology; and acquisitions.

As part of the acquisitions part of the program guidelines will be developed around outsourcing and offshore software development.

A draft guide was released on May 17, 2007 and a common dictionary of software weaknesses is also being developed.

"We have to stop being reactive when it comes to software vulnerabilities because when you look at where we are today it is a pretty bleak picture," Purdy said adding that nine out of 10 businesses in the US were affected by cyber crime last year.

While media have been in attendance at most of the AusCERT presentations, a closed session was held yesterday that was strictly limited to delegates.

Computerworld understands the session covered international cyber crime rings and was presented by FBI and US secret service employee Mark Grantz.

Another session closed to media which was held earlier today was a presentation by ANZ Bank information security consultant Stanislav Filshtinskiy on the cyber criminal economy.