ELC 2010: How to secure software

Monday - 10/25/2010, 10:15am EDT

Joe Jarzombek, director for software assurance, Global Cyber Security Management, National Cyber Security Division, DHS

Click to hear the interview.

Download mp3

By Jolie Lee
Federal News Radio

With heavy reliance on the private sector for purchasing software, agencies could be opening themselves for security risks.

"There's a growing realization that within our supply chain , as we bring things in, that we're often unaware of what's in that supply chain and how it affects us. In particular, we're building components that are easily exploitable," Joe Jarzombek, director for software assurance, Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security.

Jarzombek spoke with Federal News Radio's Tom Temin at the Executive Leadership Conference.

Agencies must enhance their due diligence, looking at not only who produces the product but how they produce it and how they manage the product throughout the supply chain.

"It's not just what one individual company does," Jarzombek said.

DHS uses due diligence questionnaires to try to find out who is handling the product. However, in a global economy, tracking the sources of a product becomes very difficult. Some countries might represent a "more malicious intent," but the location alone does not tell everything about the product's security, Jarzombek said.

Hardware, too, is becoming a focus of security threats. A survey by the Commerce Department found that nearly 40 percent of DoD's supply chain entities discovered counterfeit electronics between 2005 and 2008.

Jarzombek said the supplier alone is not to blame for security risks. Departments throughout agencies are responsible, too.

"It's a life cycle perspective, in development, acquisition and use," he said.