Addressing Software Quality in Cybersecurity: Insights from Jen Easterly’s Perspective

By Ron Lear, Vice President of Models and Frameworks at ISACA

In the ever-evolving landscape of cybersecurity, the quality of software has emerged as a critical concern. Recently, Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency (CISA), made headlines with her bold assertion that the industry is not facing a cybersecurity problem but rather a software quality problem. Her comments, which I encountered with a mix of agreement and skepticism, prompted me to delve deeper into the implications of her statement.

The Core of the Issue: Software Quality vs. Cybersecurity

Easterly’s assertion that “we have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software” resonates with many in the field. However, I believe that the issue extends beyond just software quality; it encompasses a broader spectrum of critical capabilities that are essential for delivering secure software solutions.

To understand this, we can refer to the ISO 9001:2015 standard, which defines quality as the “degree to which a set of inherent characteristics of an object fulfills requirements.” This definition applies not only to products but also to services, processes, and systems. If technology vendors have been allowed to produce subpar software, the responsibility also lies with the customers and stakeholders who have failed to enforce rigorous requirements.

The Role of Requirements in Software Development

At the heart of quality assurance in software development is the establishment of clear, consistent, and well-defined requirements. Vendors must operate under a framework that mandates the creation of software based on customer needs, which should include:

• Unambiguous and clearly stated requirements
• Completeness and consistency
• Unique identification
• Alignment with architectural approaches and quality attributes
• Technical viability and maintainability
• Testability and traceability
• Achievability and business value alignment

These requirements serve as the foundation for developing secure software. However, merely having these requirements is not sufficient. Vendors must also implement robust processes for verifying and validating these requirements through testing, peer reviews, and quality assurance measures.

The Importance of Governance and Infrastructure

To ensure that these capabilities are effectively implemented, organizations must establish a governance framework that supports the necessary infrastructure. This includes:

• Performance measurement and analysis
• Estimation and planning
• Monitoring and control
• Configuration and data management

These elements are crucial for maintaining the integrity of the software development process and ensuring that security is prioritized throughout.

The Need for Proven Best Practices

As we consider the multitude of capabilities required for delivering high-quality software, one might wonder if there are established best practices that organizations can adopt. Fortunately, there is a framework available: the Capability Maturity Model Integration (CMMI) V3.0. Developed through federally funded research, CMMI V3.0 provides a comprehensive model that encompasses eight primary domains and multiple core business capabilities.

This model is designed to be easily tailored and integrated, making it accessible for businesses of all sizes. Moreover, it offers clear data demonstrating consistent outcomes and performance results, making it an invaluable resource for organizations striving to enhance their software quality.

A Call for Action: Leveraging Existing Frameworks

Given the challenges associated with enforcing voluntary cybersecurity initiatives, it is imperative that government agencies consider leveraging existing frameworks like CMMI V3.0. Rather than relying on unfunded pledges for “secure by design,” agencies should require vendors and contractors to adhere to proven best practices that ensure the implementation of robust capabilities and processes.

By doing so, we can move beyond the cycle of allowing substandard software to permeate the market and instead foster an environment where quality is prioritized, and security is embedded in the development process.

Conclusion

In conclusion, while Jen Easterly’s comments highlight a significant issue within the technology industry, it is essential to recognize that the solution lies in a multifaceted approach that addresses both software quality and the critical capabilities necessary for delivering secure solutions. By adopting proven frameworks like CMMI V3.0 and enforcing rigorous requirements, we can pave the way for a more secure digital landscape. The time for action is now—let us not allow history to repeat itself.