Build in Basic Security, Vendors Told

WASHINGTON -- Technology vendors should improve the default security settings in their products, a committee of the National Cyber Security Partnership Task Force (NCSP) says its recommendations for technical standards.

The NCSP's Technical Standards and Common Criteria committee has released its cybersecurity recommendations. Primarily, the group of academics, government officials, tech vendors, and customers are asking vendors to provide stronger "out-of-the-box" security configurations and to support at least one configuration profile that provides a baseline security level.

The 104-page committee report is intended to put more pressure on vendors about default security settings and raise awareness about best practices and security audits, says Mary Ann Davidson, chief security officer at Oracle, who cochairs the committee. The committee hopes to move the debate away from advice that vendors may or may not choose to follow, she says.

"We're trying to change the dynamic to, 'Vendors ought to do this,'" she says.

Her committee, which worked on the recommendations for about four months, revised its work to give the recommendations stronger wording, she says.

Key Charges, Goals

Among the recommendations:

  • Vendors should provide more substantive security recommendations, configuration checklists and best practices to customers.
  • The U.S. government, user groups and customers should encourage more independent security evaluations of IT products.
  • The U.S. government should help offset the costs of an IT vendor going through a Common Criteria security evaluation through tax credits or other methods.
  • The U.S. government should fund the development of code-scanning tools that detect flaws in software code.

But many of the recommendations place the responsibility for cybersecurity on vendors.

"As an industry, we corporately need to do a better job of security infrastructure," Davidson says.

Davidson plans to take the recommendations, as well as others from NCSP, back to Oracle to see how her company can improve security, she says.

"This is not done. We're not thinking, 'We've issued a report and we can go home,'" she adds. "Most of us want to take it to the next level and show concrete progress."

The National Cyber Security Partnership was established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure, following the release of the White House National Strategy to Secure Cyberspace in February 2003 and the National Cyber Security Summit in December. The partnership is led by TechNet, the Business Software Alliance, the Information Technology Association of America and the U.S. Chamber of Commerce.

Subscribe to the Security Watch Newsletter

Comments