“By further addressing the issue of an agency’s culture and mindset toward secure software practices, in my opinion federal agencies will be better able to attract and retain those who are skilled in the field”, Tipton wrote in a recent blog.
Tipton was commenting on a survey of (ISC)² members conducted by Creative Intellect Consulting entitled The State of Secure Application Lifecycle Management, which found that management was not fully supportive of the need to improve the security of the software delivery process.
“The results of the survey show that security is still not embedded tightly into the software delivery process and that there is a belief, among practitioners, that management is not fully committed to a secure code approach. The culture and attitude or, to be more succinct, the lack of the right mind set for delivering and maintaining secure software, throws light on some worrying concerns”, the survey found.
Tipton told Infosecurity that there needs to be a change in the culture in the federal government. “First, they need to accept the fact that something needs to be changed, and for those that recognize that change is necessary, there needs to be a uniform acceptance of what that change should look like.”
The problem is “way more” than writing secure code. The solution has to address software security from a lifecycle perspective, he stressed.
The CIO Council is the best forum to coordinate efforts within the federal government to improve software security. “That is about the only way you have a prayer of getting different federal agencies to adopt a common routine….Left to their own devices and without good clear guidance and policies, even bureaus within agencies will develop their own solutions and go down separate paths on how they address software security”, Tipton said.
Too often information security and software development are viewed as two separate problems. “In reality, they ought to be integrated”, Tipton observed. “For the software people and the business people, the first priority has always been functionality, bells and whistles are what sell the software. The second thing is you’ve got to get it to market quickly, which means once a project gets started, if security hasn’t been involved in the design and requirements stage, then they have missed the boat.”
Security concerns do not end with software development. “Once [the software] comes out of the shrink wrap, someone has to configure it, they have to get it on the machines, they have to get it deployed, and it has to be configured correctly. You need people at all stages of the lifecycle that have an understanding of what makes software go bad”, Tipton said.
The report reflects the fact that people are getting the message about change management, but not the message that software security needs to be followed from the beginning to the end of its lifecycle, he concluded.