The National Cyber Security Partnership (NCSP), a consortium of business and technology groups, has been formed to develop shared standards and programs to better secure the U.S.'s critical information infrastructure. It recently released draft strategies which, taken together, offer a long-term plan to reduce software vulnerabilities. These were offered by several of its working groups, which cover technical standards/common criteria, research, corporate governance and more.
As well as encouraging the government and users to demand the certification of security management products, and advocating that vendors, user groups and consumers work with the National Institute of Standards and Technology to develop stronger baseline policies for various IT environments, the group is recommending a host of other interesting items on a 'to do' list. It wants testing of software security during initial design stages, strong out-of-the-box security configurations for products, more and stronger security checklists and recommendations provided with products and, particularly, that industry collaborates to develop sets of standards "for using recommended security equipment, and best practices for understanding, designing and implementing secured IP network infrastructures."
If the recommendations are one day followed and championed by vendors, government and other industry players, many of the attacks leveraging system holes would be minimized drastically. But it's going to take a long time and a lot of cooperation to get there. Let's hope the vendor members will commit for the long-term.
The NCSP is seeking from the public a review of the suggestions made, in addition to some specific advice on how the industry can adopt and implement the recommendations. Email Leslie Saul Garvin on email@example.com. You can learn more and get a copy of the recommendations at www.cyberpartnership.org.
And while you're doing that, you should also hit SC Magazine's website. To continue sending you a complimentary subscription of the magazine, we need you to renew once a year. So renew online at www.e-circ.net/isn/isnsub.asp. And thanks kindly for reading.