[ISN] 'Tiger team' to test foreign software

From: InfoSec News (alerts@private)
Date: Sun Mar 11 2007 - 23:10:50 PST


By Peter A. Buxbaum
Special to GCN

The Pentagon is fielding a task force charged with testing software 
developed overseas, according to a Defense Department official.

The tiger team, organized within the Defense CIOs office, is ready to 
move to the implementation stage, said Kristen Baldwin, deputy director 
for software engineering and systems assurance in the Office of the 
Undersecretary of Defense for Acquisition, Technology, and Logistics. 
Baldwin spoke yesterday at the DHS-DOD Software Assurance Forum in 
Fairfax, Va.

Tiger team is a software-industry term for a group that conducts 
penetration testing to assess software security.

Success means they understand where their focus needs to be and how to 
prioritize their efforts, Baldwin said. They understand the supply-chain 
impact on systems engineering, and are ready to move forward in an 
effort to mitigate assurance risk.

DOD strategy calls for using all-source information to characterize 
supplier threat, Baldwin added.

In 2004, the Government Accountability Office, noting that the military 
relies increasingly on software and information systems for its weapons 
capabilities, found that traditional DOD prime contractors are 
subcontracting more of their software development to lower-tier and 
sometimes nontraditional defense suppliers, which use offshore locations 
and foreign companies for some software development. An ongoing Defense 
Science Board task force, convened in 2005, is studying the same issue.

Offshore software development poses vulnerabilities, such as the 
insertion of malicious code by software developers, but mitigating those 
risks has not been adopted as practice within DOD, the GAO concluded

Dealing with the impact of what the Pentagon dubs the foreign influence 
on DOD software will not involve a buy-American strategy, however. 
Globalization is the reality we face, Baldwin said. We will continue to 
rely on a global supply chain when acquiring software for the Department 
of Defense.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Sun Mar 11 2007 - 23:26:34 PST