Task force urges security collaboration

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2004/0329/web-task-04-01-04.asp

By Florence Olsen 
April 1, 2004

Improving software security will demand a concerted effort from
government, industry and higher education, said members of a national
task force on software development in a report released today.

In a 100-page document, the security task force made four broad
recommendations for improving software security. In most of them,
members called for common knowledge to be applied where it is now
given only lip service.

"As a software executive, the hardest thing to do is to look into the
eyes of a team member who's been working for your company for 20 years
and to say, 'You've been doing it wrong for 20 years,'" Ron Moritz,
chief security strategist for Computer Associates International Inc.  
and a co-chairman of the task force, said in an interview. "But that's
what we're doing now."

The task force defines secure software as software that preserves "the
confidentiality, integrity and availability" of information. The
report concluded that software security improvement requires:

* Higher education to do a better job of teaching future software
  developers.

* The software industry to make security an integral part of the
  design process.

* Policymakers and others to create incentives that reward those who
  create secure software code.

* And the software industry to come together on a common method of
  managing the process of patching software when insecurities are
  discovered.

Federal agencies and other organizations should carefully pick and
choose which recommendations to focus on, Moritz said. "If you try to
do everything, you'll probably will get nothing done," he said.

The group also recommended more basic research on creating secure
software. "The research process has slowed down and needs to be
reenergized," Moritz said.

He cited Sun Microsystems Inc.'s Java language as a vast improvement
over existing languages when it was created 10 years ago. It may be in
the national interest to finance research on a language that goes even
further than Java to help programmers write secure software, Moritz
said.

Perhaps the harshest statement in the report came from the task
force's educational subgroup: "If the United States is to progress
beyond immature infrastructures created by amateurs, professionalism
based on a sound university education is required."

Although the task force was not created to advise the Homeland
Security Department, the report suggests a role for DHS in creating
security metrics for the principal components of the United States'
cyberinfrastructure and keeping track of progress in meeting those
benchmarks.

"I see DHS as the project manager, as the key influencing body,"  
Moritz said. "I'm not suggesting that it replace" the Office of
Management and Budget.

The task force was organized by the National Cyber Security
Partnership, which includes the Business Software Alliance; the
Information Technology Association of America; TechNet, a chief
executive officers group; and the U.S. Chamber of Commerce. Among the
partnership's members are academic, corporate, government and industry
cybersecurity experts.

The task force developed its recommendations in response to the
President's National Strategy to Secure Cyberspace.



_______________________________________________
isn mailing list
isn () attrition org
http://www.attrition.org/mailman/listinfo/isn