NASA launches software assurance program

Thursday - 6/24/2010, 7:30pm EDT

Jerry Davis, CISO, NASA

Click below to hear the interview

Download mp3

By Meg Beasley
Federal News Radio

As cyber threats continue to increase, agencies are looking to software contractors for technologies to help protect their assets. Jerry Davis, NASA's chief information security officer, says that's not good enough.

"The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk," he says.

Davis, who spoke Thursday at an AFCEA panel on the role of the CISO, says buying products that don't interface correctly leads to a cycle of patching applications that is both time consuming and could compromise security.

To address this issue, NASA set up the Software Assurance Working Group (SAWG) to educate their software developers and develop tools to protect Web applications that already are in use.

NASA expects to teach Web developers how to look for and design secure applications. Classes also will focus on how to "design out common vulnerabilities" that are frequently exploited. Davis says Web applications are one of the most common attack vectors against both the government and the private sector.

Davis says SAWG expects to have the courses designed and sent out to its developers by the end of the calendar year.

Next fiscal year, the working group will begin developing tools to protect the vulnerable Web applications that NASA already is using.

"You can't go back and fix them all, so you have to find out a way to protect those legacy applications using certain tools" says Davis.

SAWG functions under NASA's IT Security Division and focuses primarily on applications developed in house, but also will look at new technology from contractors.

Davis says NASA exchanges information with contractors as products are in development: "We're working with them, learning about their process, and teaching them about the cyber aspect of things of what they need to be aware of when their dealing with software applications," he says.

Davis says NASA doesn't have firm information on how much software is developed in house or on how many programmers are developing it. SAWG hopes to gather that data before or during the education phase in order to have a better idea of what their employees need.

Meg Beasley is an intern with Federal News Radio.

(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)