The more basic the better, security report recommends
- By William Jackson
- Apr 19, 2004
A coalition of public- and private-sector organizations today called on hardware and software vendors to pay more attention to basic security in products for the public.
'The security-worthiness of software is essential to the protection of our nation's critical infrastructure,' said Mary Ann Davidson, Oracle Corp.'s chief security officer and co-chairwoman of the task force that produced the report. 'It is clear that to improve the security of deployed software, vendors are going to have to step up and provide customers with secure-by-default configurations.'
, which focuses on technical standards and the government's Common Criteria program, is the final one in a series of reports from the National Cyber Security Partnership.
Among the chief suggestions, the report calls for making the Common Criteria program run by the National Information Assurance Partnership (NIAP) more user-friendly and economical for vendors.
The Homeland Security Department, the U.S. Chamber of Commerce, the IT Association of America, TechNet and the Business Software Alliance created NCSP at a conference in December.
Other NCSP task forces focused on security awareness of home users and small businesses, a cyberthreat warning system, security during the software development lifecycle and corporate governance. The most recent previous report, released earlier this month, called for more high-level management involvement in security oversight (Click for GCN story)
The latest report, like its predecessors, details voluntary recommendations. The 104-page document covers five broad areas:
- Common configurations: Vendors need to produce better security documentation and release products with secure default configurations.
- Research: The government should fund research in vulnerability analysis tools and require their use in software development.
- Best practices and technical standards: Government and industry need to compile existing guidance on security management models.
- Equipment deployment and architecture: Industry should develop a set of standards for designing and implementing secure networks.
- Common Criteria: NIAP should make its international evaluation scheme more practical and cost-effective for vendors and increase demand for evaluated products.
NIAP, a joint program of the National Security Agency and the National Institute of Standards and Technology, runs the Common Criteria Evaluation and Validation Scheme for the United States.
The task force recommended that NIST receive $12 million immediately and an additional $6 million in subsequent years to develop protection profiles for nonclassified products, against which products can be evaluated.
William Jackson is a Maryland-based freelance writer.