OMG pushes standards for verifying software security

A report released early this month by a task force within the Object Management Group outlines the standards needed to develop a consistent process for verifying the security of software sold to government agencies.

The task force, which is composed of representatives from private-sector companies and government agencies, is part of a broader effort to ensure that software products used by the government meet consistent and defined security standards.

"What the OMG is hoping to achieve in putting together these standards. is to have a formal way of measuring if software is trustworthy," said Djenana Campara, co-chairman of the Architecture-Driven Modernization Task Force within the OMG.

The standards will give vendors and software purchasers a consistent way to evaluate a system's design robustness, reliability, process integrity and configuration controls, said Campara, who is also CTO of Klocwork Inc., a Burlington, Mass.-based vendor of vulnerability analysis software.

Such a framework is crucial to allowing software suppliers and buyers to represent their claims and requirements along with a way to verify them, said Joe Jarzombek, director of software assurance at the National Cyber Security Division of the U.S. Department of Homeland Security.

"When vendors make claims about the safety, security and dependability of products, what is the standard by which they are making those claims and what are the minimum levels of evidence" that are needed? he asked. "The reason to have a standard is it tells you, Here's how you can make a claim, here are the attributes we are looking for, and here are the things you need to include when making a claim," he said.