Report seeks more secure world for software development

["Greenarrow 1" <Greenarrow1 () msn com>]

I find the below very interesting since one cites at the academic level 
security in softwares should be taught.

By Anne Saita and Shawna McAlearney, News Writers
01 Apr 2004 | SearchSecurity.com


A task force of academics, businesspeople and government officials 
recommends software companies do more to secure their products or, in some 
instances, the government may need to move in to enforce more secure 
software code, according to a new report released today.

Led by software giants Microsoft and Computer Associates, companies that 
comprise the public-private National Cyber Security Partnership admit more 
may be needed if market forces can't compel software developers to create 
safer solutions. But first the industry needs to make security a core 
component of software development at the university level and then encourage 
best practices at the workplace to reduce the number of vulnerabilities in 
today's software.

The patching process needs to be revamped, such as no longer requiring 
reboots during installation, and providing awards and other incentives to 
those developers and vendors who create secure product.

Though only one of numerous points in the piece, generating the most 
attention is the recommendation by a subcommittee that the Department of 
Homeland Security and the National Cyber Security Partnership "examine 
whether tailored government action is necessary to increase security across 
the software development lifecycle."

Such an attitude toward government intervention represents a sea change in 
the IT community, which has long advocated a hands-off approach in favor of 
market forces to compel software makers to improve the number of flaws in 
their products that then leave computer networks vulnerable to attack.

This report to the Bush administration admits market pressures may fall 
short with particularly vulnerable systems such as critical infrastructure 
as power plants, water systems and telecommunications.

But not everyone believes the vendors are acting altogether altruistically.

"Read through every recommendation and you'll notice that the giant software 
vendors that controlled that task force completely avoid the things that 
matter: there is no recommendation of exploring liability for damages caused 
by faulty software; no discussion of using federal buying power to ensure 
software vendors meet reasonable standards; and no discussion of removing 
antitrust limitations so buyers in critical infrastructure can work 
together," said Alan Paller, director of research at the SANS Institute.

"And in the one area in which their recommendations could make a long term 
difference -- upgrading computer science courses so no one graduates if they 
have not had secure programming skills and knowledge inculcated in them, the 
document provides no effective mechanism," Paller continued. "It's terrible 
when the industry says 'wait for us, we'll solve the problem,' and then 
delivers no effective proposals."

However, Ron Moritz, Computer Associates' chief security strategist and 
co-chair of the National Cyber Security Partnership task force, says it's 
only a matter of time before liability issues are addressed. And he rushed 
to point out that the effort was managed by individual cybersecurity 
experts, not companies.

"There are a number of reasons why liability was deferred for a future 
report, it may take several months to fully address the problem and we don't 
have all the insight we need right now," said Moritz. "Rushing to get 
liability into this report could damage the marketplace and premature action 
could also divert resources from necessary security issues into legal ones."

Moritz chairs the group with his counterpart of Microsoft, Scott Charney.

If considered a surprising shift in attitude, the recommendations towards 
more government intervention shouldn't come as a huge shock. Earlier this 
spring a new lobbying group comprised of a dozen top information security 
companies vocally supported current government regulation to combat 
cybercrime -- and keep other regulations from being created due to lack of 
private-sector support.

Reaction Thursday was mixed.

"This is positive, but quite out of character for the vendors," said Clint 
Kreitner, president and CEO of The Center for Internet Security. "I'm 
encouraged by the apparent willingness to look at a variety of solutions to 
address this unique global problem."

"I have felt from the beginning that if we could put aside the rhetoric 
about 'regulation' and 'mandates' and start talking about ways to 
collaborate in pursuit of the common good with regard to information 
security, we could make some progress," said Kreitner. "Hopefully this is 
beginning to happen."


MORE INFO:
National Cyber Security Partnership Web site
Read this Guest Commentary: "Secure software -- The source of the problem is 
the solution"
Read this Guest Commentary: "Secure Coding? Absolutely!"


Regards,
George
Greenarrow1
InNetInvestigations-Forensics