Did the Vendors Cop Out Again?

Using what was to become a recurring metaphor in public statements last week, Microsofts chief security strategist Scott Charney declared that there was no “silver bullet” for software security. Charney said it not solely as a Microsoft representative, but as co-chair of the National Cyber Security Partnership (NCSP) Task Force, which describes itself as a public-private partnership established to develop shared strategies and programs to better secure and enhance Americas critical information infrastructure. The NCSP released its Issues Report on Security Across the Software Development Lifecycle at the beginning of April, a 123-page document that offers four general recommendations for making the global digital environment significantly more secure.

According to its executive summary, those key recommendations are:

• enhancing the education of present and future developers to put security at the heart of software design and at the foundation of the development process
• developing and sharing best practices to improve the quality of software, as well as the process so that systems are more resilient to attack
• creating incentives that can create a culture of security awareness, and disincentives for malicious behavior
• making the patching process simple, easy and reliable

No shocking revelations there. Nor does it look like much skin off the nose of the software industry associations and corporations that dominate the NCSP. For example, as CNET News notes, the proposal probably means that future software programmers would have to pay to gain the credentials necessary to work for companies that make the most popular applications.

Within the details, however, the door has opened a crack for government participation, if not regulation. Under the second general topic is a recommendation for the mid-term (as opposed to the immediate or the distant future) for industry and the Department of Homeland Security to establish measurable annual security goals for the principal components of U.S. cyber infrastructure and track progress. And under the incentives recommendation, one bullet point says, DHS should examine whether tailored government action is necessary to increase security across the software development life cycle.

According to an InfoWorld story, Ron Moritz, co-chairman of the NCSP and chief security strategist at Computer Associates, said one area where the government can play a key role is through funding of research. For example, grants to universities to fund research into a new generation of secure programming languages could spur innovation in an area that the private sector has not wanted to fund in the past decade, he said. “This is a great opportunity, at the national level, to (get) government to motivate academia to think about the problem,” he said.

So. A vendor-dominated organization suggests that the government prompt academia to get people on track for security. Is that cynical take on it or an accurate description? Does the new report break any new ground? Are vendors stepping up to be accountable, or trying to dodge security bullets, silver or otherwise? Let us know what you think.