Task force urges security collaboration

Report on Improving Security Across the Software Development Lifecycle

Improving software security will demand a concerted effort from government, industry and higher education, said members of a national task force on software development in a report released today.

In a 100-page document, the security task force made four broad recommendations for improving software security. In most of them, members called for common knowledge to be applied where it is now given only lip service.

"As a software executive, the hardest thing to do is to look into the eyes of a team member who's been working for your company for 20 years and to say, 'You've been doing it wrong for 20 years,'" Ron Moritz, chief security strategist for Computer Associates International Inc. and a co-chairman of the task force, said in an interview. "But that's what we're doing now."

The task force defines secure software as software that preserves "the confidentiality, integrity and availability" of information. The report concluded that software security improvement requires:

Higher education to do a better job of teaching future software developers.

The software industry to make security an integral part of the design process.

Policymakers and others to create incentives that reward those who create secure software code.

And the software industry to come together on a common method of managing the process of patching software when insecurities are discovered.

Federal agencies and other organizations should carefully pick and choose which recommendations to focus on, Moritz said. "If you try to do everything, you'll probably get nothing done," he said.

The group also recommended more basic research on creating secure software. "The research process has slowed down and needs to be reenergized," Moritz said.

He cited Sun Microsystems Inc.'s Java language as a vast improvement over existing languages when it was created 10 years ago. It may be in the national interest to finance research on a language that goes even further than Java to help programmers write secure software, Moritz said.

Perhaps the harshest statement in the report came from the task force's educational subgroup: "If the United States is to progress beyond immature infrastructures created by amateurs, professionalism based on a sound university education is required."

Although the task force was not created to advise the Homeland Security Department, the report suggests a role for DHS in creating security metrics for the principal components of the United States' cyberinfrastructure and keeping track of progress in meeting those benchmarks.

"I see DHS as the project manager, as the key influencing body," Moritz said.

The task force was organized by the National Cyber Security Partnership, which includes the Business Software Alliance; the Information Technology Association of America; TechNet, a chief executive officers group; and the U.S. Chamber of Commerce. Among the partnership's members are academic, corporate, government and industry cybersecurity experts.

The task force developed its recommendations in response to the President's National Strategy to Secure Cyberspace.