Certifiably Secure Software

Cybersecurity Software products don't typically come with a Good Housekeeping Seal of Approval, but they will, if a public-private cybersecurity task force has its way.

. What's this?

By

June 01, 2004CSO — Cybersecurity Software products don't typically come with a Good Housekeeping Seal of Approval, but they will, if a public-private cybersecurity task force has its way.

This spring, the National Cyber Security Partnership Task Force on Technical Standards and Common Criteria published recommendations to reduce software security vulnerabilities

A guiding ethos of the group was that the task of ensuring product security shouldn't fall entirely on the shoulders of software executives and CSOs. The government can use its purchasing power to force vendors to build better products, and to set industrywide standards for security.

The recommendations that the task force put forth are part of a larger effort to secure the U.S. critical information infrastructure.

Among the recommendations were the following:

  • Technology companies should do more to foster secure computer coding practices and code audits that eliminate software vulnerabilities.
  • Companies should ship products with "secure by default" configurations and adhere to common product security "profiles" for different kinds of IT products.
  • The federal government should invest in software vulnerability assessment technology and support standards groups like the National Institute of Standards and Technology and the National Information Assurance Partnership.

The recommendations are intended to guide the decisions of software developers, purchasers and end users by making them more savvy about IT security.

In fact, task force leaders believe that the government's renewed focus on making common criteria certification a prerequisite for government procurement has already produced dramatic results in IT security.

"This is just truth in advertising for software," says Mary Ann Davidson, CSO at Oracle and cochairwoman of the task force. "Every vendor says its product is secure. We need an independent entity to vet those claims."

Read more about application security in CSOonline's Application Security section.

Other stories by Paul Roberts

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER