Fortify Releases Security Report For Government Agencies

SAN MATEO, CA. " March 31, 2009 - Fortify Software, the market leader in Software Security Assurance solutions, today released a new report, "Building in Security in Government Software," which describes the growing threat of application security attacks and key steps government agencies should take to implement a comprehensive Software Security Assurance (SSA) program. This report is intended to serve as a guide for all government entities to build security in and provides some best practices for addressing software security and implementing code reviews.

Fortify also announced today the availability of a new IDC Government Insights ProveIT case study, "Best Practices: ProveIT Case Study for U.S. Air Force Software Assurance Center of Excellence," which examines the U.S. Air Force's initiative to implement application security and software assurance practices, after a massive breach of an Air Force information system. Government Insights believes that the approach taken in creating the Application Software Assurance Center of Excellence (ASACoE), its approach to implementing software security, and its growing role in the Air Force to change the information assurance paradigm provide other government organizations and managers with a sound model for emulation.

"It's no secret that the government possesses and maintains some of the most critical systems around," said Prof. Howard A. Schmidt, Former White House Cyber Security Advisor and CEO of the Information Security Forum Ltd. "Many of these applications involve national security, public safety, key financial systems and significant amounts of personal information that criminal hackers hope to exploit - and with the down economy, international agents and organized crime rings are using cyber attacks like never before. This Fortify report is a much needed resource for agencies to fully understand the true risk of application threats and become more proactive in defending their applications."

The report provides examples of how application security has been embraced within the private sector with mandates from the Federal Financial Institutions Examination Council (FFIEC) and the Payment Card Industry (PCI) Security Standard Council. It also describes how the government has made some significant strides in implementing policies and processes to address application security with examples such as the Department of Homeland National Cyber Security Division's Security Software Assurance Program and the National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tools Evaluation (SAMATE) which has reviewed various application security technologies.

Earlier this month, Fortify and Cigital partnered together to release the "Building Security In Maturity Model (BSIMM)," the industry's first-ever set of benchmarks for developing and growing an enterprise-wide software security program. BSIMM is based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC), and pulls together a set of activities practiced by nine of the most successful software security initiatives in the world. While BSIMM did not include any government agencies, it does provide insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.

"Government agencies today have implemented traditional network security solutions such as firewalls and intrusion detection and prevention systems, but many, if not most, haven't considered the negative implications if a mission-critical application is hacked or broken into," said Mark Kagan, Research Manager, IDC Government Insights. "However, the Air Force saw attacks on its applications rise from 2 percent in 2005 to 36 percent in 2007 and, as a result, put in place a strategy for addressing application threats head-on. Other government agencies should follow the Air Force's lead in taking a proactive approach to protecting their software and applications."

According to the report, to mitigate future software security threats, the federal government and individual agencies need to follow the example set by the Air Force and create an aggressive SSA initiative. The new CTO must require all government entities to build in security first, not layer it on later. This new "culture of security" should address software that is contracted, outsourced, Software-as-a-Service (SaaS), or open source as well as internally developed, and require a reallocation of resources and even a new way of thinking.

Some additional best practices outlined in the Fortify report include:

Organize effectively for security by appointing: >> A Leader: Someone must be accountable for the entirety of the security process, from the legal aspects of vendor contracts to education of staff, to vulnerability assessment of software. >> An Expert: Organizations should designate an application security expert who is directly accountable for security processes, technology, and staffing. >> A Gatekeeper: Organizations should also appoint a security expert to identify the risk-based security processes and vulnerability metrics that are expected, then inspect and enforce the appropriate software security standards. The Gatekeeper will set in place metrics and then maintain, monitor, and report on compliance with standards, even—and especially—if the security issue never gets fixed. Organizations should empower the Gatekeeper to halt the release of any product or deliverable that does not meet security minimums.

Implement preventative—not operational—security standards: Organizations not only need standards on how to use software but standards for how to develop, contract or procure new software. The various existing state and federal and private guidelines should be unified, and the best used as a baseline for all.

Define a secure acquisition process: Beyond choosing the platform or the specific role of the software in the organization, care must be given that third party software, be it purchased, contracted or open source, should undergo intense security scrutiny. Third party software vendors should spell out what its developers have done to secure the software. Vendors should be contractually accountable for all their software. Open source should not become a default choice because of its low cost—cheap does not make it low risk.

Conduct comprehensive training: Organizations should plan to hold project and computer language-specific training workshops necessary to enhance the project managers and developers understanding of software security and get the developers to adopt the security best practices. Education is key to addressing security issues in all phases of the software development process and organizations should train software development managers on what your metrics mean. Train developers on how to fix security problems, and leave no room for anyone to deny understanding security requirements.

Cleanse legacy systems: Organizations should also engage in a campaign to cleanse legacy applications of security issues, or replace them with more secure code.

"A major weak spot for agencies is their lack of process for securing mission-critical software and applications but recently, it has been refreshing to see a few federal standards bodies such as NIST that have refocused on this area of vulnerability," said Brian Chess, Founder and Chief Scientist at Fortify Software. "It's really only a matter of time before these suggestions become application security mandates that agencies must adhere to. Our report is intended to provide guidance to agencies as they sort through these new mandates and develop their own application security strategies."

Fortify's full report, "Building in Security in Government Software," is available at: http://www.fortify.com/fedreport.jsp

IDC Government Insights ProveIT case study, "Best Practices: ProveIT Case Study for U.S. Air Force Software Assurance Center of Excellence" is available at: http://www.fortify.com/usaf.jsp

Fortify's "Building Security In Maturity Model (BSIMM)" can be downloaded here: http://bsi-mm.com.

About Fortify Software, Inc. Fortify''s Software Security Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite—Fortify 360—drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e"commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world"class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog at blog.fortify.com.