Report seeks more secure world for software development

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Thu, 01 Apr 2004 14:15:47 -0800
From: Greenarrow 1 <Greenarrow1 () msn com>

I find the below very interesting since one cites at the academic level
security in softwares should be taught.

By Anne Saita and Shawna McAlearney, News Writers
01 Apr 2004 | SearchSecurity.com


A task force of academics, businesspeople and government officials
recommends software companies do more to secure their products or, in some
instances, the government may need to move in to enforce more secure
software code, according to a new report released today.

Led by software giants Microsoft and Computer Associates, companies that
comprise the public-private National Cyber Security Partnership admit more
may be needed if market forces can't compel software developers to create
safer solutions. But first the industry needs to make security a core
component of software development at the university level and then encourage
best practices at the workplace to reduce the number of vulnerabilities in
today's software.

The patching process needs to be revamped, such as no longer requiring
reboots during installation, and providing awards and other incentives to
those developers and vendors who create secure product.

Though only one of numerous points in the piece, generating the most
attention is the recommendation by a subcommittee that the Department of
Homeland Security and the National Cyber Security Partnership "examine
whether tailored government action is necessary to increase security across
the software development lifecycle."

Such an attitude toward government intervention represents a sea change in
the IT community, which has long advocated a hands-off approach in favor of
market forces to compel software makers to improve the number of flaws in
their products that then leave computer networks vulnerable to attack.

This report to the Bush administration admits market pressures may fall
short with particularly vulnerable systems such as critical infrastructure
as power plants, water systems and telecommunications.

But not everyone believes the vendors are acting altogether altruistically.

"Read through every recommendation and you'll notice that the giant software
vendors that controlled that task force completely avoid the things that
matter: there is no recommendation of exploring liability for damages caused
by faulty software; no discussion of using federal buying power to ensure
software vendors meet reasonable standards; and no discussion of removing
antitrust limitations so buyers in critical infrastructure can work
together," said Alan Paller, director of research at the SANS Institute.

"And in the one area in which their recommendations could make a long term
difference -- upgrading computer science courses so no one graduates if they
have not had secure programming skills and knowledge inculcated in them, the
document provides no effective mechanism," Paller continued. "It's terrible
when the industry says 'wait for us, we'll solve the problem,' and then
delivers no effective proposals."

However, Ron Moritz, Computer Associates' chief security strategist and
co-chair of the National Cyber Security Partnership task force, says it's
only a matter of time before liability issues are addressed. And he rushed
to point out that the effort was managed by individual cybersecurity
experts, not companies.

"There are a number of reasons why liability was deferred for a future
report, it may take several months to fully address the problem and we don't
have all the insight we need right now," said Moritz. "Rushing to get
liability into this report could damage the marketplace and premature action
could also divert resources from necessary security issues into legal ones."

Moritz chairs the group with his counterpart of Microsoft, Scott Charney.

If considered a surprising shift in attitude, the recommendations towards
more government intervention shouldn't come as a huge shock. Earlier this
spring a new lobbying group comprised of a dozen top information security
companies vocally supported current government regulation to combat
cybercrime -- and keep other regulations from being created due to lack of
private-sector support.

Reaction Thursday was mixed.

"This is positive, but quite out of character for the vendors," said Clint
Kreitner, president and CEO of The Center for Internet Security. "I'm
encouraged by the apparent willingness to look at a variety of solutions to
address this unique global problem."

"I have felt from the beginning that if we could put aside the rhetoric
about 'regulation' and 'mandates' and start talking about ways to
collaborate in pursuit of the common good with regard to information
security, we could make some progress," said Kreitner. "Hopefully this is
beginning to happen."


MORE INFO:
National Cyber Security Partnership Web site
Read this Guest Commentary: "Secure software -- The source of the problem is
the solution"
Read this Guest Commentary: "Secure Coding? Absolutely!"


Regards,
George
Greenarrow1
InNetInvestigations-Forensics 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/