A US group formed by the software industry last December has released its first recommendations to improve the security of software development and ward off government legislation mandating better software security.
The report was published by a taskforce of the National Cyber Security Partnership (NCSP), whose members include major software companies and the US government.
Security should be promoted at every stage of the software development cycle, the report said, including security-oriented university training, creating best practices for secure software design, better-organised patch management, and creating incentives for public- and private-sector organisations to build more secure systems.
The report is one of five released by the NCSP in March and early April. Reports on security awareness, for home users and small businesses, and a workable cybersecurity warning system, arrived in mid-March. Two more, covering technical standards and making boardrooms more responsible for IT security, will appear in the next few days.
The NCSP was formed last December at the US' first National Cyber Security Summit in an effort to convince US legislators to keep their hands off private industry - which operates 85% of the US' critical infrastructure, yet faces far less stringent legal security requirements than the public sector.
The imminent threat late last year was a US bill which would have required companies to add the results of a security audit to their publicly disclosed Securities and Exchange Commission (SEC) filings.
Efforts are also being made in the EU to hold organisations accountable for their internal security, but these have tended to be tied to accounting-practices legislation.
Yet the report allows that, in some cases, limited government regulation may be needed to ensure software security.
The report said systems running important infrastructure, such as banks, telephone networks and water pipelines, "may require a greater level of security than the market will provide". Even in those cases, the NCSP report argued only for "appropriate and tailored government action that interferes with market innovation on security as little as possible".
Specific recommendations included:
- Creating a dozen academic fellowships in US universities, funded by at least $12m in public and private funds, to improve security training for software engineers and creating a software security certification accreditation programme.
- Establishing a set of best practices for software patches, to ensure they are well tested, small, localised, reversible and easy to install.
- Offering bounties for information leading to the conviction of virus writers and hackers.
"Software security is a serious, long-term multifaceted problem that requires multiple solutions and the application of resources through the development lifecycle," said Microsoft chief security strategist Scott Charney, co-chair of the task force.
Ron Moritz, chief security strategist for Computer Associates International, also co-chaired, with the Business Software Alliance which helped to organse the group.
A wave of legislative interest in IT security has followed the terrorist attacks on the US in 2001 and the accounting scandals of companies such as Enron and WorldCom, but some experts have argued that security-oriented laws are going too far.
"Governments are producing far too much [security] legislation, at the moment," said analyst Fran Howarth with Bloor Research.
She argued that Sarbanes-Oxley financial reform legislation coming into force in the US and similar laws now being enforced in Europe covering financial institutions were likely to have the needed effect on security.
"The provisions they contain are going to force companies to put adequate security measures in. Nothing further is needed," she said.
Matthew Broersma writes for Techworld.com