By Peter A. Buxbaum
Special to GCN
The Pentagon is fielding a task force charged with testing software
developed overseas, according to a Defense Department official.
The tiger team, organized within the Defense CIOs office, is ready to
move to the implementation stage, said Kristen Baldwin, deputy director
for software engineering and systems assurance in the Office of the
Undersecretary of Defense for Acquisition, Technology, and Logistics.
Baldwin spoke yesterday at the DHS-DOD Software Assurance Forum in
Tiger team is a software-industry term for a group that conducts
penetration testing to assess software security.
Success means they understand where their focus needs to be and how to
prioritize their efforts, Baldwin said. They understand the supply-chain
impact on systems engineering, and are ready to move forward in an
effort to mitigate assurance risk.
DOD strategy calls for using all-source information to characterize
supplier threat, Baldwin added.
In 2004, the Government Accountability Office, noting that the military
relies increasingly on software and information systems for its weapons
capabilities, found that traditional DOD prime contractors are
subcontracting more of their software development to lower-tier and
sometimes nontraditional defense suppliers, which use offshore locations
and foreign companies for some software development. An ongoing Defense
Science Board task force, convened in 2005, is studying the same issue.
Offshore software development poses vulnerabilities, such as the
insertion of malicious code by software developers, but mitigating those
risks has not been adopted as practice within DOD, the GAO concluded
Dealing with the impact of what the Pentagon dubs the foreign influence
on DOD software will not involve a buy-American strategy, however.
Globalization is the reality we face, Baldwin said. We will continue to
rely on a global supply chain when acquiring software for the Department
Visit the InfoSec News Security Bookstore