Cybersecurity group releases recommendations

A computer industry task force that includes representatives from Microsoft and Computer Associates issued its first round of recommendations on Thursday for improving software security, including a role for the U.S. government in supporting creation of secure software products.

A computer industry task force that includes representatives from Microsoft and Computer Associates issued its first round of recommendations on Thursday for improving software security, including a role for the U.S. government in supporting creation of secure software products.

The U.S. Department of Homeland Security (DHS) should establish measurable annual security goals for the U.S. cybersecurity infrastructure and consider “tailored government action” to increase security in software development, according to a 123-page report from the National Cyber Security Partnership Task Force.

In a statement, task force co-chairman Scott Charney, chief security strategist of Microsoft called software security a “serious, long-term multifaceted problem that requires multiple solutions … throughout the development lifecycle.”

The task force is a cooperative effort between the Business Software Alliance, the Information Technology Association of America, TechNet and the U.S. Chamber of Commerce, and also includes academics, industry experts and representatives of government agencies.

The task force was divided into four subgroups: education, software process, patching and incentives.

On the issue of user education, the task force recommended the creation of a new initiative to make security a core component of university software development programs and the formation of a software security certification accreditation program.

To improve the software development process, the task force said that software producers should adopt best practices for developing secure software code, measure the effect of their secure coding practices and disclose the results of those measurements.

When patching software, companies should adhere to a “top 10” list of best practices that includes making patches small, easy to install and reversible and eradicating patches that introduce new product features or require reboots, among others.

The group also recommended a number of ideas for encouraging secure coding practices, including the creation of industry awards for secure software development practices and products. The security of code should be a measure of a developer’s job performance, the group recommended, and also suggested the creation of a privately-funded program to offer rewards for cybercriminals.

Ron Moritz, co-chairman of the task force and chief security strategist at CA said that the recommendations are just the beginning of a long process of developing comprehensive cybersecurity recommendations for government, industry and academia.

“What you’re looking at is just the beginning — the low hanging fruit,” he said

The task force had a number of recommendations for ways DHS can help, including working through existing standards bodies such as the U.S. Computer Emergency Response Team and the Information Technology Information Sharing and Analysis Center to determine the effectiveness of practices to reduce software security vulnerabilities.

The group sees DHS as a management body to help move the process of improving software security forward, said Moritz.

“We need to work more closely with (DHS),” he said.

One area where the government can play a key role is through funding of research, Moritz said. For example, grants to universities to fund research into a new generation of secure programming languages could spur innovation in an area that the private sector has been uninterested in funding in the past decade, he said.

“This is a great opportunity, at the national level, to (get) government to motivate academia to think about the problem,” he said.

The task force was formed in response to the Bush administration’s publication of the White House National Strategy to Secure Cyber Space and the subsequent National Cyber Security Summit in Santa Clara, Calif., in December. The group looks for ways to foster private-public partnerships to secure the U.S. critical information infrastructure.

Moritz could not say whether the group’s recommendations exceeded the Bush administration’s view of the government’s role in cybersecurity, but said that those in DHS, including Amit Yoran, director of the National Cyber Security Division, were receptive to the report.