As cyber threats continue to increase, agencies are looking to software contractors for technologies to help protect their assets. Jerry Davis, NASA’s chief information security officer, says that’s not good enough.
“The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk,” he...
As cyber threats continue to increase, agencies are looking to software contractors for technologies to help protect their assets. ” target=”_blank”>AFCEA panel on the role of the CISO, says buying products that don’t interface correctly leads to a cycle of patching applications that is both time consuming and could compromise security.
NASA expects to teach Web developers how to look for and design secure applications. Classes also will focus on how to “design out common vulnerabilities” that are frequently exploited. Davis says Web applications are one of the most common attack vectors against both the government and the private sector.
Davis says SAWG expects to have the courses designed and sent out to its developers by the end of the calendar year.
Next fiscal year, the working group will begin developing tools to protect the vulnerable Web applications that NASA already is using.
“You can’t go back and fix them all, so you have to find out a way to protect those legacy applications using certain tools” says Davis.
SAWG functions under NASA’s IT Security Division and focuses primarily on applications developed in house, but also will look at new technology from contractors.
Davis says NASA exchanges information with contractors as products are in development: “We’re working with them, learning about their process, and teaching them about the cyber aspect of things of what they need to be aware of when their dealing with software applications,” he says.
Davis says NASA doesn’t have firm information on how much software is developed in house or on how many programmers are developing it. SAWG hopes to gather that data before or during the education phase in order to have a better idea of what their employees need.