The government is raising the bar. Contractors beware, the government is doing a much better job of inspecting IT deliverables. I had a situation this week in which I asked the Information Security Office of my agency to perform penetration testing on a release. The Information System Security Project Manager (ISSPM) was able to take control of the application and could have seized the system.
Many agencies have established policies concerning secure code. It is only a matter of time before there is a law on the books mandating that policy across the sector. When I describe this type of policy I think it is congruent with the Section 508 policy (from the Americans with Disabilities Act). When thinking about 508, if a contractor delivers an IT product that is not 508 compliant, the government does not have to pay for the product, or if the government has already paid for it, it is made 508 compliant at the cost of the contractor.
Similarly, if a contractor delivers an IT product that has vulnerabilities that allow a hacker to take control of the application then the government should either not pay for that deliverable, or if it has already been paid for, it should be remediated to not have that vulnerability at the cost of the contractor.
Two years ago this was probably just as much of a problem as it is today. The only difference is that the government generally lacked the technical sophistication to verify the security of the delivered product. But now, thanks to an investment in training and several strong industry tools the government now has the capability to verify.
I know that there are significant vulnerabilities out there. Trust me when I tell you, it will be cheaper in the long run to adopt best practices and keep your developers honest. The types of vulnerabilities I am seeing are from poor development practices and lazy developers who don't clean up their code. The government now has the capability to see these weaknesses and when they are identified they reflect poorly on you as a company.
No comments:
Post a Comment