Procuring technology, software and services is an important aspect of every government's operations. In many cases, national agencies will even obtain their mission-critical software from third parties. So if there's anything to be learned from the bevy of increasingly sophisticated cyberattacks and data breaches that have occurred over the past few years, it's that governments need formal processes for software evaluation and establishing code security — and they need them fast.
Recognizing this, BSA, The Software Alliance and the Data Security Council of India (DSCI), released "Security Considerations in Software Procurement by Government Agencies in India," a study analyzing the software procurement processes of the Indian government and its entities and outlines best practices to minimize security threats.
Here's a closer look at security in the eyes of DSCI-BSA, along with key recommendations for government agencies.
DSCI-BSA: SecurityIs Key
The DSCI-BSA report highlights the absence of a comprehensive legal framework and mandatory guidelines addressing software procurement at the state level. It recommends the adoption of formal testing procedures that use international standards for code evaluation, with particular attention paid to code security. To guarantee software's compliance with those international standards — and to ensure apps are resilient to cyberthreats — the study also advises that security experts be involved with software evaluation at every phase of the code lifecycle.
When it comes to security solutions, the report suggests that governments involve third-party organizations that can perform independent assessments and audits. Third-party entities can provide unbiased evaluations and security assessment frameworks for future reviews.
The report provides specific indications for government agencies' purchasing of software and Software-as-a-Service (SaaS) programs, reinforcing the need to integrate security requirements into the software-procurement process.
Secure Software Development Life Cycle best practices followed in the industry and used by government offices to evaluate software providers include the incorporation of necessary security features in each development stage, the adoption of coding best practices and the review of code prior to compilation (binary static analysis). And when it comes to defining security requirements for this same process, the security council stresses that all relevant stakeholders must be present.
DSCI-BSA remarks on the necessity of tracking threats and vulnerabilities in procured applications and establishing effective patch management in collaboration with vendors and software providers. It highlights the importance of both a software evaluation and a post-impact analysis after an app update is deployed.
"As government services move to electronic platforms, software has taken a central role," says R. Chandrashekhar, president of the National Association of Software and Services Companies (NASSCOM). "Evaluating software from a security standpoint during procurement is imperative. . . . I hope the government will find our recommendations useful and mandate incorporation of security requirements in its procurement processes."
Recommendations for Government Agencies
The report provides several recommendations for government agencies hoping to protect themselves against future exploits, including the following:
- When procuring software, the central government must follow information security requirements it implements through an effective legal framework.
- Governments and their agencies must adopt internationally accepted criteria for code evaluation in order to assess the security of software throughout its lifecycle.
- Agencies must be aware of best practices for software security evaluation and employ them at every phase of the code lifecycle.
- Request for Information (RFI) and Request for Proposal (RFP) processes for software procurement must include detailed security requirements.
- Governments and their agencies must eradicate counterfeit and unlicensed software in their supply chains.
- Governments should encourage public-private partnerships to provide agencies with procedural and technical guidance.
To keep ahead of hackers, governments must carefully define their software evaluation criteria and evaluate the hardware components that are critical to their national infrastructures. Above all, however, one thing is clear: For security's sake, it's global or bust. E-Government interoperability and cybersecurity practices must be developed on a global scale in compliance with international standards.
Photo Source: Flickr