The National Cyber Security Partnership Task Force on Technical Standards and Common Criteria in the US has published...
recommendations to reduce software security vulnerabilities.
A guiding ethos of the group was that the task of ensuring product security should not fall entirely on the shoulders of software executives and chief security officers. The government can use its purchasing power to force suppliers to build better products, and to set industrywide standards for security.
The recommendations that the task force put forth are part of a larger effort to secure the US critical information infrastructure.
Among the recommendations were the following:
Technology companies should do more to foster secure computer coding practices and code audits that eliminate software vulnerabilities.
Companies should ship products with "secure by default" configurations and adhere to common product security "profiles" for different kinds of IT products.
The federal government should invest in software vulnerability assessment technology and support standards groups like the National Institute of Standards and Technology and the National Information Assurance Partnership.
The recommendations are intended to guide the decisions of software developers, purchasers and end users by making them more savvy about IT security.
Task force leaders believed the government's renewed focus on making common criteria certification a prerequisite for government procurement has already produced dramatic results in IT security.
"This is just truth in advertising for software," says Mary Ann Davidson, CSO at Oracle and co-chairwoman of the task force. "Every vendor says its product is secure. We need an independent entity to vet those claims."
Paul Roberts writes for IDG News Service