Security vendor says offshore development needs checks

An executive from Citadel Security Software pointed to offshore software development as one reason for security vulnerabilities in a hearing before a U.S. House Subcommittee Wednesday.

Software companies must add additional controls to the development process for software produced outside the U.S., Citadel CEO Steve Solomon said.

“Software development organizations should be required to have all overseas-developed software examined for malicious capabilities embedded in the code,” Solomon told the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. “Industry and government must work together to develop some form of standard or review process to address this growing threat.”

Solomon’s comments were among the few that generated debate in the latest in a series of cybersecurity hearings before the subcommittee. Much of the hearing, which lasted more than two hours, was devoted to government agencies detailing their cybersecurity efforts, but Solomon’s comments drew disagreement from Microsoft and Juniper representatives.

“It really doesn’t matter where software is developed,” said Dubhe Bienhorn, vice president of Juniper Federal Systems. “It is a process that requires very tight controls and very intense scrutiny.”

Solomon defended his comments by saying software vendors see offshore development as “easy and cheap.”

“Maybe my colleagues on this panel have (offshore) processes in place,” he added. “A lot of companies don’t.”

Subcommittee chairman Adam Putnam (R-Fla.) focused some of his questions on the patching process after software vulnerabilties are discovered. Asked by Putnam if the patching process and the alert process that accompanies it is working well, Scott Culp, senior security strategist for Microsoft, said he believes software vendors are working hard to notify government and private customers.

“We have a very active interest in making sure as many people as possible know about our mistakes and how to fix them,” Culp said.

Putnam then asked if Culp was generally satisfied with the patch and alert process Microsoft has now. Culp answered that he’s never satisfied. “I’d like to send out a lot fewer of those alerts,” Culp said.

Putnam started the hearing by taking both private companies and government agencies to task for not moving fast enough to address continuing cybersecurity concerns. “As a nation, we have taken very dramatic steps to increase our physical security, but protecting our information networks has not progressed at the same pace, either in the public or in the private sector,” Putnam said. “I remain concerned that we are collectively not moving fast enough to protect the American people and the U.S. economy from the very real threats that exist today … The time for action is now.”

Solomon also suggested that companies that rely on patch management services have “false security” because they are missing larger problems, such as the lack of broad security policies and recovery after attacks. “On average, only 30% of an organization’s verified vulnerabilties relate to patching, leaving their networks exposed to the remaining 70% of the problem, which are more dangerous and easily exploited,” he said. “These products do not address the problem of full life-cycle vulnerability management, and effectively become part of the problem.”

Louis Rosenthal, executive vice president of ABN AMRO Services, called on the subcommittee to find ways to encourage software vendors to “accept responsibility” for the role their products play in supporting U.S. critical infrastructure. He also asked the subcommittee to support a measure making software vendors more accountable for the quality of their products and for continuing patch support for older, but still viable, versions of their software.

Incentives such as tax breaks, cybersecurity insurance and lawsuit reform could help software companies make more secure products, Rosenthal added.

Meanwhile, the U.S. Department of Homeland Security (DHS) is working with private companies to pump up the programs offered by US-CERT, the government’s computer emergency readiness team, said Amit Yoran, director of the National Cyber Security Division at DHS. US-CERT launched a national cyber alert system in January, and around mid-year it plans to roll out a partner program to encourage private companies and universities to work with government agencies. Goals of the partner program include the better sharing of information on cyber threats, improving cyber response and increasing discussion about cybersecurity, Yoran said.

Representative William Lacy Clay (D-Miss.) asked Yoran if the private sector was working with DHS on improving cybersecurity or whether there were “pockets of resistance.”

Yoran said he saw little reluctance from private companies. “We’ve been encouraged by the enthusiasm of the private sector to partner with the Department of Homeland Security,” he said.