Navy Seeks To Lessen Possible Threats Posed By Software Outsourcing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Navy Seeks To Lessen Possible Threats Posed By Software Outsourcing

The director of technology innovation at the Navy's Network and Space Operations Command says he plans to bolster and standardize security requirements in software outsourcing pacts.

An official who helps oversee IT operations for the U.S. Navy's global and space telecommunications systems says his branch needs to do a better job ensuring that the software it obtains from outsourcing contractors is secure upon delivery.

In an interview Thursday, Lt. Jamie Gateau, director of technology innovation for the Navy's Network and Space Operations Command in Dahlgren, Va., said he plans to beef up and standardize the security requirements specified in software outsourcing contracts that the group awards to external vendors. Gateau said he's also evaluating new technology that would help identify security vulnerabilities in externally sourced software.

Earlier this week, the General Accounting Office issued a report warning that Defense Department agencies that use software written outside of the United States could be placing the country's security in jeopardy. The GAO, the investigative arm of Congress, warned that programmers hostile to U.S. interests could write back doors into code that ultimately ends up in use by the military. To address software vulnerabilities and threats, the GAO recommends that the Defense Department better define software security requirements and compel program managers to lessen associated risks.

Gateau said he hasn't seen the report and that he was already planning to make the changes. "We've reached an understanding that security management is not something that can be slapped on," he said.

All future contracts awarded by the Navy's Network and Space Operations Command will contain "specific language that talks to software assurance; that secure code and reliable code will be required items," Gateau said, adding that such requirements currently aren't specified "in any concrete terms" even though most of the IT projects under the agency's watch are classified as "secret and higher." The changes would apply only to contracts written by the NSOC, though Gateau said other branches of the Navy may follow suit.

Some security experts say they're concerned that the Navy lacks uniform security requirements in its software contracts. "I'm surprised that they don't, given the sensitivity of some of these applications," says Brian Kelly, director of the Giuliani Center for Advanced Security in New York. The Defense Department "needs to be more aggressive in defining security requirements up front," he adds.

Gateau said he's also evaluating new technology designed to help detect back doors and Trojan horses in software. Among other things, he's looking at the forthcoming version 2.0 of OunceLabs Inc.'s Prexis software. The application is designed to detect malicious code by scanning for lines that appear faulty or that serve no apparent purpose. However, OunceLabs CEO Jack Danahy concedes that the product won't catch malicious code that also functions as a normal, working part of an application. "Nothing can catch that except manual code reviews," Danahy says.

As for offshore development, Gateau said he doesn't plan to write contracts that would prohibit his vendors from using developers based outside the United States. The risks identified by the GAO "aren't not specific to offshore outsourcing," he said. "We run the same risk every day, with every piece of software we run."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll