Coalition makes recommendations to improve software security
- By William Jackson
- Apr 01, 2004
Acknowledging that 'security is a serious problem and, if present trends continue, could be much worse in the future,' a task force of industry and academic officials issued recommendations Thursday for improving the software development process.
The recommendations focus on improving the education and training of software developers, implementing industry best practices in the development process, and providing legal and business incentives for better performance and disincentives for failure.
The task force did not address whether disincentives should include legal liability for software defects.
The task force was co-chaired by the chief security strategists for two major software companies, Ron Moritz of Computer Associates Inc. and Scott Charney of Microsoft Corp.
The recommendations are simple, Moritz said, but, 'we need to start.' He said that because of the ingrained behaviors of developers, it would take years to make a significant difference in software development.
The recommendations are the product of the five-month-old National Cyber Security Partnership, a coalition formed by the U.S. Chamber of Commerce, IT industry groups and the Homeland Security Department. The group established five task forces to develop plans for implementing the administration's National Strategy to Secure Cyberspace, released last year. Plans for an early warning network, public outreach and awareness programs were released last month.
Faulty software development has been cited as one of the major causes of IT security vulnerabilities.
'This task force is probably the most important of the five as far as making a significant change in society,' Moritz said. 'But it is the one that is least likely to make any changes in the short run.'
Poor software development practices are a behavioral problem, Moritz said, and 'changing behavior takes years.'
Referring to Microsoft's trusted computing initiative, Moritz said, 'Microsoft started changing its behavior two years ago, and they probably have another two to go.'
Moritz said new software engineers at Computer Associates undergo a boot camp to inculcate sound development practices, including security. Older developers are harder to reach, however. Computer Associates is 'on the path,' to sound software development, but is not there yet, he said.
He said former Attorney General Janet Reno was one of the first government officials to begin drawing attention to the problem of software security, in 2000, but that 'Sept. 11 was a line in the sand for a lot of the industry, including us. So we're talking about a relatively new phenomenon.'
Critics of the software industry have blamed many security problems on software licenses that shield vendors from liability. Moritz said his task force avoided the issue of liability in the report, but said it could be addressed later.
'We don't believe there has been sufficient study of the impact of liability on the marketplace,' he said. It could drive small companies and open-source developers out of the market. 'We need to study this in much more depth. We deferred that to later stages in this process.
'Having said that, I am a big supporter of the free-market system,' he continued. 'If purchasing agents choose to assert their influence, you will see changes in the marketplace.'
The full 123-page report is available online at www.cyberpartnership.org/init-soft.html
William Jackson is a Maryland-based freelance writer.