A report released early this month by a task force within the Object Management Group outlines the standards needed to develop a consistent process for verifying the security of software sold to government agencies.
The task force, which is composed of representatives from private-sector companies and government agencies, is part of a broader effort to ensure that software products used by the government meet consistent and defined security standards.
"What the OMG is hoping to achieve in putting together these standards. is to have a formal way of measuring if software is trustworthy," said Djenana Campara, co-chairman of the Architecture-Driven Modernization Task Force within the OMG.
The standards will give vendors and software purchasers a consistent way to evaluate a system's design robustness, reliability, process integrity and configuration controls, said Campara, who is also CTO of Klocwork, a vendor of vulnerability analysis software.
Such a framework is crucial to allowing software suppliers and buyers to represent their claims and requirements along with a way to verify them, said Joe Jarzombek, director of software assurance at the National Cyber Security Division of the U.S. Department of Homeland Security.
"When vendors make claims about the safety, security and dependability of products, what is the standard by which they are making those claims and what are the minimum levels of evidence" that are needed? he asked. "The reason to have a standard is it tells you, Here's how you can make a claim, here are the attributes we are looking for, and here are the things you need to include when making a claim," he said.
Having a process for enabling security verification is becoming important because of the increasing complexity of software systems, their growing interconnectedness and the globalization, of software developers, Campara said.
Government systems that are used for national security purposes already need to go through a Common Criteria Certification process to determine whether they meet security requirements. OMG's framework -- which still has to go through a long approval process -- will give another option to agencies that are not mandated to use the Common Criteria process, Jarzombek said.
In addition, a systems and software assurance standard that's being finalized by the International Standards Organization (ISO/IEC 15026) will also give government agencies a standard they can use for assessing software security sometime next year, he said. The ISO standard is focused on the management of risk and assurance of safety, security and dependability of systems and software, he added.