Via GCN -
The Pentagon is fielding a task force charged with testing software developed overseas, according to a Defense Department official.
The “tiger team,” organized within the Defense CIO’s office, is ready to move to the implementation stage, said Kristen Baldwin, deputy director for software engineering and systems assurance in the Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics.
Baldwin spoke yesterday at the DHS-DOD Software Assurance Forum in Fairfax, Va.
“Tiger team” is a software-industry term for a group that conducts penetration testing to assess software security.
“Success means they understand where their focus needs to be and how to prioritize their efforts,” Baldwin said.
“They understand the supply-chain impact on systems engineering, and are ready to move forward in an effort to mitigate assurance risk.”
DOD strategy calls for using “all-source information to characterize supplier threat,” Baldwin added.
In 2004, the Government Accountability Office, noting that the military relies increasingly on software and information systems for its weapons capabilities, found that “traditional DOD prime contractors are subcontracting more of their software development to lower-tier and sometimes nontraditional defense suppliers,” which use offshore locations and foreign companies for some software development. An ongoing Defense Science Board task force, convened in 2005, is studying the same issue.
Offshore software development poses vulnerabilities, “such as the insertion of malicious code by software developers,” but mitigating those risks has “not been adopted as practice within DOD,” the GAO concluded.
Dealing with the impact of what the Pentagon dubs “the foreign influence on DOD software” will not involve a buy-American strategy, however. “Globalization is the reality we face,” Baldwin said. “We will continue to rely on a global supply chain” when acquiring software for the Department of Defense.
------------------------------------
In my experience, this doesn't happen enough....anywhere. Software created anywhere can be just as dangerous if the vendor isn't aware of the issues.
I have seen program system used by Fortune 500 companies that were filled with holes...and those vendors would turn around and tell me that "none" of their other clients have seen these issues.
But I would guess that 99% of their clients are simple users of the system, they are not testing the software. Kinda scary.
No comments:
Post a Comment