Further proving the government means business about using its spending muscle to influence the development of secure software, five federal agencies on Tuesday announced a new contract practice that puts the onus on vendors to supply customized, more readily secured software -- that won't break other systems when patched.
"Most software is delivered with all the functionality enabled and no security features enabled, and it's up to the implementer, integrator or system administrator to turn off a risky feature -- or even know there is a risky feature," said Glenn Schlarman, associate CIO for cybersecurity for the Department of Energy (DOE).
This new approach, he said, helps remove the guesswork with predetermined security settings. That, in turn, reduces the chance of human error in configuration management and the need for more resources and expenditures.
The DOE led a panel that included federal officials and representatives from the nonprofit Center for Internet Security (CIS) and software giant Oracle Corp. at a Washington, D.C., news conference, called to tout the new "model contract." The contract mandates that vendors deliver software that meets specific "safe configuration requirements," in part by establishing preset security levels and providing patches that won't change existing configurations once installed.
The DOE has signed the first contract under the new plan by agreeing to purchase $14 million worth of Oracle 8 and 9 database software for its headquarters and for all 85 national laboratories and field sites scattered throughout the country, Schlarman said.
Other agencies expected to participate in the early stages of the new procurement initiative include the Department of Homeland Security, National Security Agency, Defense Information Systems Agency and General Services Administration.
For the past several years, the federal government, with its $50 billion annual IT budget, has used its purchasing power to press vendors for less flawed (and therefore less exploitable) software out of the box. CIS has tried to raise the bar through benchmark security standards for a wide variety of IT environments.
CIS published benchmarks for Oracle that will serve as the guide for configuring federal database servers. Oracle, meanwhile, said new hotfixes and patches will be pushed to a central server at the DOE.
FOR MORE INFORMATION:
FEEDBACK: What impact will the "model contract" have on the development of secure, stable software?
Send your feedback to the SearchSecurity.com news team.