The National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS) works collaboratively with public, private, and international entities to secure cyberspace and America’s cyber assets. To protect the cyber infrastructure, NCSD has identified two overarching objectives:
In his role as Director for Software Assurance, Joe leads government interagency public/private collaboration efforts with industry, academia, and standards organizations to shift the security paradigm away from patch management by addressing security needs in work force education and training, more comprehensive diagnostic capabilities, software security automation, and security-enhanced development and acquisition practices.
Joe served in the U.S. Air Force as a Lieutenant Colonel in program management. After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position.
Joe Jarzombek addresses DHS Cyber Security initiatives focused on mitigating risks attributable to exploitable software and how public/private collaboration is necessary to improve cyber security.
Joe speaks to the relevance of software security assurance in reducing organizational risk exposure. With today’s global IT software supply chain, project management and software/systems engineering processes must explicitly address security risks posed by exploitable software. Traditionally, these disciplines have not clearly and directly focused on software security risks that can be passed from projects to the organization. Software security assurance processes and practices span development and acquisition and can be used to enhance project management and quality assurance activities. Joe explains the critical need for adherence to the practices, guidelines, rules, and principles used to build security into every phase of software development.
He addresses how the Common Weakness Enumeration (CWE) provides the characterization of exploitable software constructs, and he discusses why this is needed to advance software security assurance. He discusses free resources that are available to assist project and engineering personnel in managing contracted, outsourcing, and development activities. He also discusses the Software Assurance Forum that DHS co-sponsors with the Department of Defense (DoD) and the National Institute for Standards and Technology (NIST) to provide the public/private collaboration to mitigate software security risks and encourage proactive and preventative security practices. Collaboratively developed and peer-reviewed material is made publicly available through on-line resources, such as: