The director of one of the world's largest software testing operations has some advice to offer CIOs about improving the security of their IT systems: The sooner you start security testing, the more secure your systems will be.
Steven Hutchison, test and evaluation executive for the Defense Information Systems Agency (DISA), has a staff of 1,300 military and contractor employees and an annual budget of $170 million. Hutchison's team engages in developmental, operational interoperability and security testing for the Defense Department's command and control and business applications.
"The volume of work is considerable," Hutchison said in a recent interview. "My ballpark estimate is that we have 400 various test and evaluation activities in a given year."
Cybersecurity is at the top of the Obama administration's agenda, with plans to appoint a federal cybersecurity coordinator who reports to both the National Security Council and the National Economic Council. The Obama Administration also is beefing up its ability to respond to and launch cyberwarfare attacks.
Increasingly, DISA is putting its emphasis on security testing of its IT systems, as it tries to find and exploit vulnerabilities in software before and after it is deployed.
"Cybersecurity is an area of tremendous concern within the department," Hutchison said. "We do extensive testing of our systems in our environment to ensure that as they are developed, they don't have built-in vulnerabilities. We try to find those and fix those before systems are deployed. Once they get in the hands of our operators, the operators are trained in terms of how to detect, react to and restore capabilities if there has been some sort of an exploit."
Hutchison says his biggest piece of advice for corporate CIOs is to get security testing experts involved at the earliest possible stage of software development.
"We try to get the security tests involved right from the beginning," Hutchison said. "We're running the tests and finding and fixing problems very early on so we have a high degree of confidence when we can get the systems fielded."
DISA includes information assurance in its Net-Ready Key Performance Parameters, which are written into the requirements of all of its major programs. "As we form the test plan, we always have a security test and evaluation professional on the team," Hutchison said.
DISA also runs security testing on all commercial products before they are allowed to operate on a Defense Department network.
DISA uses internal hackers, which it calls "red teams," to continue security testing once systems are operational. Red teams try to penetrate systems and take action, such as stealing data. Hutchison says using internal hackers is something he would "absolutely" recommend to CIOs so they can find and fix their own vulnerabilities.
Keeping up with the latest security threats is difficult for DISA's test and evaluation team.
"It's tremendously challenging for our testers to be trained and ready and relevant in this new environment," Hutchison said. "We are constantly adding new test capabilities into their programs."
Hutchison says it's important to hire top talent for security testing and evaluation.
"Our people really like what they're doing," Hutchison said. "I don't think we're experiencing any trouble finding new people to come into our environment…because the work is so interesting."
This story, "Feds Push Cybersecurity" was originally published by Network World.