[ISN] Feds, Oracle team up to boost security

From: InfoSec News (isn@private)
Date: Tue Sep 23 2003 - 08:01:03 PDT

  • Next message: InfoSec News: "[ISN] Intrusion detection team denies Trojan claim"

    Story by Jaikumar Vijayan
    SEPTEMBER 19, 2003
    Five federal agencies, in collaboration with the Center for Internet
    Security and Oracle Corp., tomorrow will announce a broad federal
    procurement initiative to improve software security.
    Under the initiative, software vendors will have to ensure that their
    software meets specific safe configuration requirements and that any
    fixes they provide to patch vulnerabilities are reliable and won’t
    compromise these configurations.
    The idea behind the initiative is to use the federal government’s
    purchasing power to make software vendors accept more responsibility
    for the security of their software, said Alan Paller, director of the
    SANS Institute, a Bethesda, Md.-based security research firm.
    The initiative was prompted by the growing problems users face because
    of unsafe software configurations, he said, adding that software
    vendors will be required to ensure that default settings are secure to
    avoid problems later on.
    The federal government recently launched a procurement program called
    SmartBuy, which it hopes will drive better pricing and contractual
    terms from software vendors by consolidating purchases. SmartBuy will
    allow federal agencies to negotiate tougher terms relating to
    security, Paller said. The initiative being announced Tuesday is an
    example of that tougher stance.
    “This is about partnering with vendors so that they take
    responsibility” for software security, Paller said. He added that he
    expects the federal initiative to set a model for software procurement
    in the private sector as well.
    Karen Evans, CIO of the U.S. Department of Energy who was recently
    named by President Bush to head all e-government initiatives, will
    announce the first contract to be signed under the initiative.
    The contract will demonstrate “a new way for government to purchase
    software with security built in,” according to a press alert from the
    CIS, which is organizing the event.
    The other federal agencies participating in the announcement are the
    U.S. Department of Homeland Security, the National Security Agency,
    the Defense Information Systems Agency and the U.S. General Services
    Administration. Also involved in the announcement are approximately
    120 CIOs and security specialists from government and industry.
    Sources familiar with the announcement confirmed Oracle’s involvement
    in the initiative. An Oracle spokeswoman today declined to comment.
    CIS Vice President Bert Miuccio said the initiative builds on a
    CIS-led effort last year involving the creation of benchmark security
    standards for Windows 2000 professionals. That effort focused on
    creating a checklist of security settings for Windows 2000 systems
    that vendors could use when shipping systems to users.
    Last year’s initiative was backed by several government agencies,
    including NSA, DISA and the National Institute of Standards and
    Technology. The scope of Tuesday's announcement is significantly
    broader, Miuccio said.
    Dan Verton contributed to this story.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 23 2003 - 12:02:20 PDT