[ISN] Who Pushed Vendors Toward Better Security?

From: InfoSec News <alerts_at_private>
Date: Thu, 4 Dec 2008 03:37:20 -0600 (CST)

By Mary Ann Davidson
CSO at Oracle Corp.
CSO Online
December 03, 2008 

In the past five years, software assurance has moved from the 
theoretical to the practical, as more vendors disclose or are required 
to disclose their secure development practices if they are not actually 
trying to use these practices as competitive differentiators.

The market shift has been led by critical customer segments as much or 
more so than by a vendor awakening.

Customers are increasingly focused upon lifecycle security costs in part 
because unexpected security events have become a large and unpredictable 
part of organizations' IT budgets. Whether it's providing secure 
software configurations or disclosing secure development practices, the 
software landscape for vendors has shifted from "nobody will pay more 
for better security" to vying in Snow White contests to be the universal 
response to: "Mirror, Mirror on the wall, who is the most 
security-minded vendor of all?" Customer demand is changing the 
marketplace for secure software, a trend that will accelerate through 
purchasing power or by policies with the effect of regulation.

The US federal government is a significant player in changing the 
security marketplace. Cost factors are leading to the increasing use of 
commercial off-the-shelf (COTS) software. In order to feel comfortable 
using COTS in critical systems, US federal agencies want more 
transparency regarding how, where and by whom the software they use is 
developed, in part to better assess risk, of which software 
security-worthiness is a large component.

A number of US government agencies, including the Department of Defense 
(DOD), the National Security Agency (NSA), the Office of Management and 
Budget (OMB) and the Department of Homeland Security (DHS) are focused 
on software security. The Department of Homeland Security (DHS), for 
example, runs a software assurance forum where a broad tent of industry, 
academia and customers collaborate on better software development 

Multiple DHS software assurance working groups have produced materials 
in areas as diverse as secure development practice, security metrics, 
acquisition and developer education.


Help InfoSecNews.org with a donation!
Received on Thu Dec 04 2008 - 01:37:20 PST

This archive was generated by hypermail 2.2.0 : Thu Dec 04 2008 - 01:49:45 PST