In Brief
Certifiably Secure Software
Cybersecurity Software products don't typically come with a Good Housekeeping Seal of Approval, but they will, if a public-private cybersecurity task force has its way.
By Paul Roberts
June 01, 2004 — CSO — Cybersecurity Software products don't typically come with a Good Housekeeping Seal of Approval, but they will, if a public-private cybersecurity task force has its way.
This spring, the National Cyber Security Partnership Task Force on Technical Standards and Common Criteria published recommendations to reduce software security vulnerabilities
A guiding ethos of the group was that the task of ensuring product security shouldn't fall entirely on the shoulders of software executives and CSOs. The government can use its purchasing power to force vendors to build better products, and to set industrywide standards for security.
The recommendations that the task force put forth are part of a larger effort to secure the U.S. critical information infrastructure.
Among the recommendations were the following:
- Technology companies should do more to foster secure computer coding practices and code audits that eliminate software vulnerabilities.
- Companies should ship products with "secure by default" configurations and adhere to common product security "profiles" for different kinds of IT products.
- The federal government should invest in software vulnerability assessment technology and support standards groups like the National Institute of Standards and Technology and the National Information Assurance Partnership.
The recommendations are intended to guide the decisions of software developers, purchasers and end users by making them more savvy about IT security.
In fact, task force leaders believe that the government's renewed focus on making common criteria certification a prerequisite for government procurement has already produced dramatic results in IT security.
"This is just truth in advertising for software," says Mary Ann Davidson, CSO at Oracle and cochairwoman of the task force. "Every vendor says its product is secure. We need an independent entity to vet those claims."
Other stories by Paul Roberts
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
