[ISN] Task force urges security collaboration

From: InfoSec News (isn@private)
Date: Fri Apr 02 2004 - 04:57:19 PST

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--Wiping Old Hard Disks Clean--March 31, 2004"

    http://www.fcw.com/fcw/articles/2004/0329/web-task-04-01-04.asp
    
    By Florence Olsen 
    April 1, 2004
    
    Improving software security will demand a concerted effort from
    government, industry and higher education, said members of a national
    task force on software development in a report released today.
    
    In a 100-page document, the security task force made four broad
    recommendations for improving software security. In most of them,
    members called for common knowledge to be applied where it is now
    given only lip service.
    
    "As a software executive, the hardest thing to do is to look into the
    eyes of a team member who's been working for your company for 20 years
    and to say, 'You've been doing it wrong for 20 years,'" Ron Moritz,
    chief security strategist for Computer Associates International Inc.  
    and a co-chairman of the task force, said in an interview. "But that's
    what we're doing now."
    
    The task force defines secure software as software that preserves "the
    confidentiality, integrity and availability" of information. The
    report concluded that software security improvement requires:
    
    * Higher education to do a better job of teaching future software
      developers.
    
    * The software industry to make security an integral part of the
      design process.
    
    * Policymakers and others to create incentives that reward those who
      create secure software code.
    
    * And the software industry to come together on a common method of
      managing the process of patching software when insecurities are
      discovered.
    
    Federal agencies and other organizations should carefully pick and
    choose which recommendations to focus on, Moritz said. "If you try to
    do everything, you'll probably will get nothing done," he said.
    
    The group also recommended more basic research on creating secure
    software. "The research process has slowed down and needs to be
    reenergized," Moritz said.
    
    He cited Sun Microsystems Inc.'s Java language as a vast improvement
    over existing languages when it was created 10 years ago. It may be in
    the national interest to finance research on a language that goes even
    further than Java to help programmers write secure software, Moritz
    said.
    
    Perhaps the harshest statement in the report came from the task
    force's educational subgroup: "If the United States is to progress
    beyond immature infrastructures created by amateurs, professionalism
    based on a sound university education is required."
    
    Although the task force was not created to advise the Homeland
    Security Department, the report suggests a role for DHS in creating
    security metrics for the principal components of the United States'
    cyberinfrastructure and keeping track of progress in meeting those
    benchmarks.
    
    "I see DHS as the project manager, as the key influencing body,"  
    Moritz said. "I'm not suggesting that it replace" the Office of
    Management and Budget.
    
    The task force was organized by the National Cyber Security
    Partnership, which includes the Business Software Alliance; the
    Information Technology Association of America; TechNet, a chief
    executive officers group; and the U.S. Chamber of Commerce. Among the
    partnership's members are academic, corporate, government and industry
    cybersecurity experts.
    
    The task force developed its recommendations in response to the
    President's National Strategy to Secure Cyberspace.
    
    
    
    _______________________________________________
    isn mailing list
    isn@private
    http://www.attrition.org/mailman/listinfo/isn
    



    This archive was generated by hypermail 2b30 : Fri Apr 02 2004 - 08:25:33 PST