By Mary Ann Davidson
CSO at Oracle Corp.
December 03, 2008
In the past five years, software assurance has moved from the
theoretical to the practical, as more vendors disclose or are required
to disclose their secure development practices if they are not actually
trying to use these practices as competitive differentiators.
The market shift has been led by critical customer segments as much or
more so than by a vendor awakening.
Customers are increasingly focused upon lifecycle security costs in part
because unexpected security events have become a large and unpredictable
part of organizations' IT budgets. Whether it's providing secure
software configurations or disclosing secure development practices, the
software landscape for vendors has shifted from "nobody will pay more
for better security" to vying in Snow White contests to be the universal
response to: "Mirror, Mirror on the wall, who is the most
security-minded vendor of all?" Customer demand is changing the
marketplace for secure software, a trend that will accelerate through
purchasing power or by policies with the effect of regulation.
The US federal government is a significant player in changing the
security marketplace. Cost factors are leading to the increasing use of
commercial off-the-shelf (COTS) software. In order to feel comfortable
using COTS in critical systems, US federal agencies want more
transparency regarding how, where and by whom the software they use is
developed, in part to better assess risk, of which software
security-worthiness is a large component.
A number of US government agencies, including the Department of Defense
(DOD), the National Security Agency (NSA), the Office of Management and
Budget (OMB) and the Department of Homeland Security (DHS) are focused
on software security. The Department of Homeland Security (DHS), for
example, runs a software assurance forum where a broad tent of industry,
academia and customers collaborate on better software development
Multiple DHS software assurance working groups have produced materials
in areas as diverse as secure development practice, security metrics,
acquisition and developer education.
Help InfoSecNews.org with a donation!