Task Force Spells Out Software Security Wish List

A task force of experts, academics, and government officials on Thursday rolled out its first round of recommendations for improving software security, noting that, among other things, developers need to adopt a set of patch management guidelines to guarantee that security fixes are thoroughly tested, reversible, and easy to install.

The task force -- one of five under the umbrella designation of the National Cyber Security Partnership -- came out of a security summit last December in Santa Clara, Calif., sponsored in part by the Department of Homeland Security. Like the others, it includes members from universities, the federal government, security consultants, think tanks, and the private sector, and is organized and managed by the Business Software Alliance, an association whose members make up a roll-call of technology's biggest brands, from Adobe and Apple to Microsoft and Macromedia.

Scott Charney, chief security strategist for Microsoft, was one of the group's two co-chairs, and noted the difficulty of ensuring that software is more secure. "Software security is a serious, long-term multifaceted problem that requires multiple solutions, and the application of resources through the development lifecycle," he said in a statement.

"If present trends continue, [security] could get much worse in the future," he added. "But there's no silver bullet for making software secure."

Even so, the group -- tagged with the long-winded title of Security Across the Software Development Cycle Task Force -- did have a number of ideas.Chief among them was a call for vendors to adopt the task force's "top-ten" guidelines for patch development and deployment. "The guiding principles [should] be adopted as an industry benchmark," the group's report recommended.

Those principles spell out what's essentially a common-sense list of requirements, ranging from thoroughly testing patches and creating patches that disturb as little code as possible to making them reversible and non-disruptive on production systems.

The group also called on the Department of Homeland Security (DHS) to establish a patch clearinghouse where all patches are inventoried, with notes on platform- and application-compatibility.

Other sub-groups within the task force concentrated on recommendations in the developer education arena, pushed for putting security at the heart of the software design process, and providing for incentives for developers and companies pursuing security.

The last series of recommendations ranged from offering up awards for the best secure software development processes and products -- think Oscars for security -- to a national IT security accreditation program that would be facilitated by the DHS.Additionally, the task force recommended that an appropriate technology trade association partner with law enforcement to offer rewards for locating and convicting cyber criminals. That's not much of a stretch, considering that Microsoft's Charney is a co-chair of the group. Microsoft has already put into play bounties on virus writers. The task force, however, is putting forward the idea that rewards should be funded by a multi-company partnership.

The recommendations made by the task force Thursday are only the beginning said Ron Moritz, chief security strategist for Computer Associates, and the group's other co-chair. "The task force has taken important steps in the long road toward implementing key components of the National Strategy to Secure Cyberspace," he said.

"While [these steps] will take time for benefits to be achieved throughout the software lifecycle, they're likely to be profound," he concluded.