The more basic the better, security report recommends

A coalition of public- and private-sector organizations today called on hardware and software vendors to pay more attention to basic security in products for the public.

'The security-worthiness of software is essential to the protection of our nation's critical infrastructure,' said Mary Ann Davidson, Oracle Corp.'s chief security officer and co-chairwoman of the task force that produced the report. 'It is clear that to improve the security of deployed software, vendors are going to have to step up and provide customers with secure-by-default configurations.'

The report, which focuses on technical standards and the government's Common Criteria program, is the final one in a series of reports from the National Cyber Security Partnership.

Among the chief suggestions, the report calls for making the Common Criteria program run by the National Information Assurance Partnership (NIAP) more user-friendly and economical for vendors.

The Homeland Security Department, the U.S. Chamber of Commerce, the IT Association of America, TechNet and the Business Software Alliance created NCSP at a conference in December.

Other NCSP task forces focused on security awareness of home users and small businesses, a cyberthreat warning system, security during the software development lifecycle and corporate governance. The most recent previous report, released earlier this month, called for more high-level management involvement in security oversight (Click for GCN story).

The latest report, like its predecessors, details voluntary recommendations. The 104-page document covers five broad areas:

  • Common configurations: Vendors need to produce better security documentation and release products with secure default configurations.

  • Research: The government should fund research in vulnerability analysis tools and require their use in software development.

  • Best practices and technical standards: Government and industry need to compile existing guidance on security management models.

  • Equipment deployment and architecture: Industry should develop a set of standards for designing and implementing secure networks.

  • Common Criteria: NIAP should make its international evaluation scheme more practical and cost-effective for vendors and increase demand for evaluated products.

NIAP, a joint program of the National Security Agency and the National Institute of Standards and Technology, runs the Common Criteria Evaluation and Validation Scheme for the United States.

The task force recommended that NIST receive $12 million immediately and an additional $6 million in subsequent years to develop protection profiles for nonclassified products, against which products can be evaluated.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • health data

    Improving the VA patient journey with data transparency

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group