A computer industry task force that includes representatives from Microsoft and Computer Associates has issued its first recommendations to improve software security, even giving the government a role in supporting secure software products.
The U.S. Department of Homeland Security should establish measurable annual security goals for a national cybersecurity infrastructure, says the 123-page report from the National Cybersecurity Partnership Task Force. It also recommends the government consider "tailored government action" to boost security in software development.
Software security is a "serious, long-term, multifaceted problem that requires multiple solutions ... throughout the development life cycle," says Scott Charney, Microsoft chief security strategist and task force co-chair, in a statement.
The task force is a cooperative effort involving the Business Software Alliance, the Information Technology Association of America, TechNet, and the U.S. Chamber of Commerce. It includes academics, industry experts, and representatives of government agencies. The task force was formed as part of the Bush administration's National Strategy to Secure Cyberspace.
Report Recommendations
The group has four divisions: education, software process, patching, and incentives.
For user education, the task force recommends creating an initiative to make security a core component of university software development programs. It also suggests that a software security certification accreditation program be formed.
To improve the software development process, the task force says, software producers should adopt best practices to develop secure software code, measure the effect of their secure coding practices, and disclose the measurements' results.
When patching software, companies should adhere to a "top ten" list of best practices, the task force suggests. The proposed list includes making patches small, easy to install, and reversible, as well as eradicating patches that introduce new features or require reboots.
The group also recommends a number of ideas to encourage secure coding practices, including creating industry awards for secure software development practices and products. Code security should be a measure of a developer's job performance, the group says. In addition, the task force suggests creating a privately funded program to offer rewards for catching cybercriminals.
The recommendations are just the beginning of a long process of developing comprehensive cybersecurity recommendations for government, industry, and academia, says Ron Moritz, who co-chairs the task force and is Computer Associates' chief security strategist.
"What you're looking at is just the beginning--the low-hanging fruit," he says.
Enlisting the Feds
The Homeland Security Department can help in many ways, the task force says. The report suggests that the agency work through existing standards bodies such as the U.S. Computer Emergency Response Team and the Information Technology Information Sharing and Analysis Center. Together, they should determine the effectiveness of current efforts in reducing software security vulnerabilities.
The group sees Homeland Security as a management body to help move the process of improving software security forward, Moritz says.
"We need to work more closely with [Homeland Security]," he adds.
One area where the government can play a key role is through funding of research, Moritz says. For example, universities could get grants for research into a new generation of secure programming languages, which could spur innovation. The private sector has not pursued or funded such research in the past decade, he says.
"This is a great opportunity, at the national level, to [get] government to motivate academia to think about the problem," he says.
The National Strategy to Secure Cyberspace was released last year. Its goals were discussed at the National Cybersecurity Summit in Santa Clara, California, in December. The task force looks for ways to foster private-public partnerships to secure the United States' critical information infrastructure.
Moritz could not say if the group's recommendations exceed the Bush administration's view of the government's role in cybersecurity. But Homeland Security representatives, including Amit Yoran, director of the National Cybersecurity Division, are receptive to the report, Moritz notes.
