Group releases recs for improving software security
A task force of the National Cyber Security Partnership on Thursday released its initial recommendations for boosting software security, including patch management guidelines, improved education for software developers, and incentives.
The 123-page report comes about two weeks after two other task forces of the NCSP, a coalition of business and technology groups, released recommendations for improving cybersecurity awareness and early warning.
The task force, called "Improving Security Across the Software Development Lifecycle," suggests developing best practices that put security at the core of the software design process, adopting guiding principals for patch management to ensure patches are tested and easy to install and remove, and improving the education of software developers through the creation of a software security certification accreditation program and other efforts.
The group's recommendations for incentives include a suggestion that deviates from the market-driven approach NCSP has called for with regards to cybersecurity. The group suggests that the Department of Homeland Security and its National Cyber Security Division examine "whether tailored government action is necessary to increase security across the software development lifecycle."
While market forces and business needs are improving software security, the report states, "it is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide."
Any such gap "should be filled by appropriate and tailored government action that interferes with market innovation on security as little as possible," the group notes.
The task force was co-chaired by Scott Charney and Ron Moritz, chief security strategists at Microsoft and Computer Associates, respectively. Other members included representatives from universities, vendors, and consultants.
