The New New Internet: Anything else you can tell us about what you think the new security guidelines will mean?
Kelly Collins: I’ll give you a couple of observations that our federal customers find quite interesting and I think are very pertinent to the topic of software security in government systems. There are not that many government organizations left who do their own software development; meaning they employ software developers on the government payroll and have two or three thousand developers that work with them and build the majority of their code. There are a few notable exceptions. Surprisingly, they are mainly in civilian agencies such as the FAA, the Social Security Administration, the VA, and the IRS. Each one of them has at least two thousand developers that work for the agency building their software. Interestingly enough, those four agencies have a very intense focus on software security and have created some of their own policy guidance for their enterprises to use internally. The comparison that I want to make is that the majority of other agencies, including a big part of the Department of Defense and the Intelligence Community, outsource their software development to third parties and systems integrators. Because there has been no official policy direction on software security in these organizations, until now that is, there has been no real effort made to cascade down secure development methods to these third-party software developers. The end result is that you have software being delivered on mission critical systems involving national security operations that is inherently less secure than the software at these four civilian agencies. That’s a real eye-opener for many people, which is one reason Congress is taking steps to compel the development community to build more secure software.
The New New Internet: You really see this new policy guidance in the Defense Authorization Act providing a mandate for third-party software developers and systems integrators to match what those four civilian leaders on software security are doing?
Kelly Collins: I think it is a big services potential and opportunity for the systems integration community to understand that they need to be mindful of delivering secure software. I also want to point out that the new security policies aren’t just about new software. After all, the vast majority of the software used within the Defense Department involves legacy systems. Those software systems don’t get a free pass just because they are already in place. In fact, it’s those older applications that pose the greatest risk from a security vulnerability standpoint. It’s also important to understand that there are thousands of applications in our defense systems that were custom-built for very specific purposes. For the most part, these applications were not developed with security vulnerabilities in mind. And many now contain flaws that weren’t a security issue when the software was first built but are today because hackers and others are uncovering new pathways into software every day. What was secure even six months ago may no longer be secure because security vulnerabilities are extremely dynamic. Appropriately, the Defense Authorization Act, in the section on software security assurance, has specific line items for finding and remediating vulnerabilities in legacy software to bring those systems up to spec from a security perspective.
The New New Internet: I want to change gears and ask about your background. How did you come to Fortify Software?
Kelly Collins: I’ve been working primarily with technology vendors for 30 years. I worked for IBM when I was in college. That was the only time I worked for a hardware company and then started working for software companies for the next 25 years. I’ve always had a software focus, mainly in the Department of Defense and in the Intelligence Community. At one point in my career, I had my own small company and did work in intrusion detection, which is the first time I had any perspective on what kind of hacking was going on in the world and how sophisticated it had become and the level of involvement of nation state players in attempts to penetrate U.S.-based systems. Before I joined Fortify, I was president of the SAS Institute’s Federal Subsidiary. I was intrigued by the work Fortify was doing in cybersecurity. I was certainly taken with how contemporary the issue of cybersecurity had become, but also by how much more sophisticated it was then fifteen years earlier when I first worked with network intrusion detection systems. I saw how much the attack vectors could evolve when trying to defend ourselves against things like cyber warfare. A cyber attack at the software layer could devastate a system in the United States. That’s why I think it’s imperative to have strong policy initiatives in the United States focused on the software layer because so many of our systems are 100 percent dependent upon the software operating in an effective and efficient manner.