Fortify also announced today the availability of a new IDC Government Insights ProveIT case study, "Best Practices: ProveIT Case Study for U.S. Air Force Software Assurance Center of Excellence," which examines the U.S. Air Force's initiative to implement application security and software assurance practices, after a massive breach of an Air Force information system. Government Insights believes that the approach taken in creating the Application Software Assurance Center of Excellence (ASACoE), its approach to implementing software security, and its growing role in the Air Force to change the information assurance paradigm provide other government organizations and managers with a sound model for emulation.
"It's no secret that the government possesses and maintains some of the most critical systems around," said Prof. Howard A. Schmidt, Former White House Cyber Security Advisor and CEO of the Information Security Forum Ltd. "Many of these applications involve national security, public safety, key financial systems and significant amounts of personal information that criminal hackers hope to exploit - and with the down economy, international agents and organized crime rings are using cyber attacks like never before. This Fortify report is a much needed resource for agencies to fully understand the true risk of application threats and become more proactive in defending their applications."
The report provides examples of how application security has been embraced within the private sector with mandates from the Federal Financial Institutions Examination Council (FFIEC) and the Payment Card Industry (PCI) Security Standard Council. It also describes how the government has made some significant strides in implementing policies and processes to address application security with examples such as the Department of Homeland National Cyber Security Division's Security Software Assurance Program and the National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tools Evaluation (SAMATE) which has reviewed various application security technologies.
Earlier this month, Fortify and Cigital partnered together to release the "Building Security In Maturity Model (BSIMM)," the industry's first-ever set of benchmarks for developing and growing an enterprise-wide software security program. BSIMM is based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC), and pulls together a set of activities practiced by nine of the most successful software security initiatives in the world. While BSIMM did not include any government agencies, it does provide insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.
"Government agencies today have implemented traditional network security solutions such as firewalls and intrusion detection and prevention systems, but many, if not most, haven't considered the negative implications if a mission-critical application is hacked or broken into," said Mark Kagan, Research Manager, IDC Government Insights. "However, the Air Force saw attacks on its applications rise from 2 percent in 2005 to 36 percent in 2007 and, as a result, put in place a strategy for addressing application threats head-on. Other government agencies should follow the Air Force's lead in taking a proactive approach to protecting their software and applications."
According to the report, to mitigate future software security threats, the federal government and individual agencies need to follow the example set by the Air Force and create an aggressive SSA initiative. The new CTO must require all government entities to build in security first, not layer it on later. This new "culture of security" should address software that is contracted, outsourced, Software-as-a-Service (SaaS), or open source as well as internally developed, and require a reallocation of resources and even a new way of thinking.
Some additional best practices outlined in the Fortify report include:
"A major weak spot for agencies is their lack of process for securing mission-critical software and applications but recently, it has been refreshing to see a few federal standards bodies such as NIST that have refocused on this area of vulnerability," said Brian Chess, Founder and Chief Scientist at Fortify Software. "It's really only a matter of time before these suggestions become application security mandates that agencies must adhere to. Our report is intended to provide guidance to agencies as they sort through these new mandates and develop their own application security strategies."
Fortify's full report, "Building in Security in Government Software," is available at: http://www.fortify.com/fedreport.jsp
IDC Government Insights ProveIT case study, "Best Practices: ProveIT Case Study for U.S. Air Force Software Assurance Center of Excellence" is available at: http://www.fortify.com/usaf.jsp
Fortify's "Building Security In Maturity Model (BSIMM)" can be downloaded here: http://bsi-mm.com.
About Fortify Software, Inc. Fortify''s Software Security Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite—Fortify 360—drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e"commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world"class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog at blog.fortify.com.