The National Cyber Security Partnership Task Force on
Technical Standards and Common Criteria in the US has published
recommendations to reduce software security
vulnerabilities.
A guiding ethos of the group was that the task of ensuring
product security should not fall entirely on the shoulders of
software executives and chief security officers. The government can
use its purchasing power to force suppliers to build better
products, and to set industrywide standards for security.
The recommendations that the task force put forth are part of a
larger effort to secure the US critical information
infrastructure.
Among the recommendations were the following:
Technology companies should do more to foster
secure computer coding practices and code audits that eliminate
software vulnerabilities.
Companies should ship products with "secure by
default" configurations and adhere to common product security
"profiles" for different kinds of IT products.
The federal government should invest in
software vulnerability assessment technology and support standards
groups like the National Institute of Standards and Technology and
the National Information Assurance Partnership.
The recommendations are intended to guide the decisions of
software developers, purchasers and end users by making them more
savvy about IT security.
Task force leaders believed the government's renewed focus on
making common criteria certification a prerequisite for government
procurement has already produced dramatic results in IT
security.
"This is just truth in advertising for software," says Mary Ann
Davidson, CSO at Oracle and co-chairwoman of the task force. "Every
vendor says its product is secure. We need an independent entity to
vet those claims."
Paul Roberts writes for IDG News
Service