How Software Intelligence Can Certify Safety in Critical Infrastructure

by

What does Software Intelligence have to do with securing the US’ critical infrastructure? The two may seem disconnected, but with the growing threat of cyber espionage and hacked systems, the time couldn’t be more right to bring these together.

Last week, the State of New York, where CAST is based, held its primary elections. Throughout the day, I thought about recent reports of hackable voting systems in Florida and elsewhere—a threat that the Department of Homeland Security (DHS) is addressing aggressively.

Robert Kolasky, Director of the DHS’S newly formed National Risk Management Center (NRMC), recently testified to a Senate Judiciary subcommittee on Crime and Terrorism that the NRMC sees the upcoming midterm elections as a “potential target for Russian cyber operations.” He adds that the organization is “working aggressively to mitigate any foreign threats to our election systems or infrastructure.”

Protecting the Vote—and Much More

The NRMC was created to encourage the private sector’s collaboration with the federal government to manage potential cyber threats—and voting systems are really just one element of its broad plan. The DHS has identified 16 critical infrastructure sectors in a wide range of industries and systems such as communications, financial services, energy, healthcare, and dam management.

The DHS is collaborating with state and local election officials in all 50 states, as well as voting-system vendors, to protect the election infrastructure. “Our Election Infrastructure-Information Sharing and Analysis Center now claims nearly 1,000 members,” said Kolasky, in his subcommittee testimony. However, he also acknowledges the technology deficits inherent in these election systems. “It will take significant and continual investment to ensure that systems are upgraded and [that] insecure or vulnerable systems are retired,” he added.

Let’s Take a Broader Approach

What I’d like to bring to this ongoing dialogue is the idea that yes, cyber threats to voting systems and any other federal, state, or local infrastructure are a serious concern. While committees and information sharing are a great thing, I believe we need to get serious about ensuring the software that runs infrastructure is robust and secure. As citizens, we should expect that all infrastructure is routinely assessed against a set of safety codes. This certainly happens for bridges and buildings, where we do routine assessments to ensure they won’t fall down. I believe we’ve reached the threshold where software is an important enough component of critical infrastructure to do the same. The most complete independent standard in the industry today to establish software security and reliability is the one published by the Consortium for IT Software Quality (CISQ). This should be applied to critical infrastructure software as a minimum bar to certify their safety and stability.

Software Intelligence: Part of the Solution

As a member of CISQ, our firm enables the organization’s rigorous software quality standards into automated software assessments. We’re answering the NRMC’s call to the private sector with a pledge: We’ll provide up to $20 million of pro bono CISQ assessments across those 16 critical sectors as a donation towards securing the nation’s voting and other critical infrastructures. Organizations can certify their software against the CISQ standard as a way to actually move the needle towards safer and more secure critical infrastructure.

We’re honored to share the wealth of our Software Intelligence – and eager to do our part in ensuring the integrity of voting systems and other vital infrastructures. Check in here for updates on our progress, particularly as we look towards November’s midterm Congressional elections.

cast-software-intelligence

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Lev Lesokhin
Lev Lesokhin EVP, Strategy and Analytics at CAST
Lev spends his time investigating and communicating ways that software analysis and measurement can improve the lives of apps dev professionals. He is always ready to listen to customer feedback and to hear from IT practitioners about their software development and management challenges. Lev helps set market & product strategy for CAST and occasionally writes about his perspective on business technology in this blog and other media.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|