NIST eyes new approach to securing its software
OS and applications present an increasingly complex challenge
- By Jason Miller
- Nov 16, 2006
When agencies start installing the Microsoft Vista operating system over the next few years, IT managers will have to deal with more than the bugs and unknown hiccups in the software. They will have to figure out how to secure software with at least 35 million lines of code.
And Microsoft's software is just one of many complex applications that require detailed planning and procedures to secure, once integrators or agency IT workers have installed the software.
'When I first started, back a couple of decades ago, we talked about building trusted computing systems where the kernel of an operating system was a couple thousand lines of code,' said Ron Ross, the National Institute of Standards and Technology's senior computer scientist. 'The problem has gotten incredibly complex.'A new look
Ross said NIST scientists need to review how they evaluate the security of products, and how they relay that information to agencies and integrators.
Ross and NIST are trying to lighten some of the burden by improving the standards by which agencies secure their systems.
NIST last month published the draft of Special Publication 800-53, which focuses on improving the clarity of security controls, eliminating redundancies among controls and expanding the supplemental guidance for controls in key areas.
One of those areas is media protection, which includes personal digital assistants and mobile storage devices, and updating security controls after security incidents. NIST also included information on using external systems and service providers, such as an agency Lines of Business shared-services pro-vider or private-sector data storage services.
The final 800-53 is scheduled to be finished in December.
NIST laid out 17 minimum requirements for all federal systems to meet in the draft of 800-53.'Stop chasing your tail'
These requirements will 'stop 95 percent of the attacks,' Ross said. 'The other 5 percent are so nasty they cannot be stopped. But if you are stopping 95 percent of the attacks, then you can focus on the other 5 percent and stop chasing your tail.'
Alan Paller, research director of the SANS Institute of Bethesda, Md., said the best way to ensure software and services are secure is for agencies to make it the vendor's responsibility.
'We can only solve the problem by putting the problem on the vendor, because they know what settings are needed to secure your systems,' Paller said at a recent conference sponsored by the American Council for Technology and Industry Advisory Council. 'There are 140 organizations that have come together to agree on common procurement specs, and they already are buying new systems with security baked in them.'
Ross said this is critical, especially as agencies and vendors work more closely together.
'It's about the common foundation of trust,' Ross said. 'The idea is to get as many effective controls versus vulnerabilities as possible within your resources. Then you cut the risk to your mission.'