DoD Should Rethink Assumptions on Software Assurance
Cybersecurity is multifaceted. The global information and communications technology (ICT) industry contributes in many ways, including by building products and services that improve cybersecurity. Today’s topic is software security, something critical to ITI companies, which make major investments in processes and tools used to improve the security of software they produce, and critical to our companies’ customers, which purchase and depend on software to operate their businesses.
One important customer that relies greatly on secure software is the U.S. Defense Department (DoD), which recently issued a Request for Information (RFI) for Software Assurance. DoD cares about this issue because it buys a lot of software, deploying it in all manner of DoD systems and networks. That makes sense.
However, the RFI’s assumptions and questions are, unfortunately, flawed. According to DoD, it seeks, “ideas for addressing the current and persistent lack of a consistent approach…for the certification of software assurance (SwA) tools, testing and methodologies… using automated vulnerability detection tools gauged to a common standard for effectiveness.” This assumes automated vulnerability detection tools gauged to a common standard improve SwA. This is not the case.
As ITI explained in our RFI response, coding standards and tools are important to a secure development process, but there is no one-size-fits-all standard or tool. Organizations use different programming languages, compilers, operating system platforms and versions, and build software for different purposes. Coding standards and tools must therefore vary.
In fact, DoD-mandated one-size-fits-all coding tools and standards would have downsides for DoD, for security, for innovation, and for global trade. First, they would likely decrease SwA, because some highly effective tools could likely not be “qualified,” while some inappropriate or ineffective tools could be. This raises the risk that developers would be recoding to comply with the coding standard instead of to improve software security. Second, mandates to use particular tools or standards would require companies to undertake extraordinarily large resource commitments and product customization for government customers, which will result in unnecessarily higher costs, limited interoperability, less access to innovation, and fewer ICT suppliers available to the government. Finally, a one-size mandate could impede U.S. ICT companies’ competitiveness in the global marketplace. Any approach DoD takes will be watched carefully by governments around the world who might be empowered to similarly dictate coding tools and standards as a condition to sell to their government markets.
In lieu of mandating specific tools or standards, DoD should approach SwA for its own procurements in a manner that is technology-neutral and vendor-agnostic, avoids creating new standards or government-run certification or testing regimes, and reforms DoD procurement processes by weighting SwA appropriately in contracting.
One of ITI’s six Cybersecurity Principles for Industry and Government is that effective cybersecurity policies must leverage existing industry initiatives and resource commitments. As a responsible buyer of software, DoD seeks greater assurance regarding the security of software it procures. We could not agree more with that fundamental goal, and it can be best achieved by leveraging the existing processes used by global commercial-off-the-shelf (COTS) developers.
Simply, assured software results when the developer follows a process designed to produce assured software. Many vendors apply such processes, which result in fewer vulnerabilities, and reduced severity and increased difficulty of exploitation of vulnerabilities that remain. DoD can build upon and benefit from our efforts by supporting these sound practices, rather than place them at risk with something new. We have encouraged DoD to foster and maintain an open dialogue on this topic, and to convene public meeting opportunities. If DoD holds such meetings, ITI will be the first to sign up for the discussion.