Software giants Microsoft and Computer Associates are heading up the National Cyber Security Partnership, a task force that is calling for security in software development from the start. The NCSP also is suggesting a more prominent role for government in securing software during the development process.
The group, which released its first round of recommendations this week, is only the latest to highlight the need for better synergy between industry and government on information security. The NCSP said research, education, development and patching are all areas of concern and urged the government to play a more prominent role in the effort.
“[The Department of Homeland Security and National Cyber Security Division] should examine whether tailored government action is necessary to increase security across the software development cycle,” the group said in its report.
However, some were resistant to the security calls from companies that are blamed for contributing to the lack of security of software and networks.
“It’s kind of an admission of defeat on the part of big players,” Gartner research director Richard Stiennon told TechNewsWorld. “Computer Associates and Microsoft are pretty distant from business realities and the actual daily security struggle. They’re not part of what is causing organizations to make themselves more secure.
“Neither have the jurisdiction to call on government to do something about a problem, even though they’re part of the problem,” Stiennon added.
Economic, Social, Security Gains
Nevertheless, backers of the group’s initiatives and recommendations said their efforts were necessary to instill more security in their products.
“Software security is a serious, long-term, multifaceted problem that requires multiple solutions and the application of resources through the development lifecycle,” said task force cochair Scott Charney, also chief security strategist for Microsoft.
Computer Associates chief security strategist and fellow cochair Ron Moritz noted that by improving research, education, development and patch distribution and management, the group’s recommendations will augment the economic value, social benefits and security of software.
Knowing What It Takes
Sunil James, iDefense director of vulnerability intelligence, told TechNewsWorld that the task force recommendations come at a time when the U.S. federal government is gaining rapport with industry.
“I think now that Homeland Security is getting its feet on the ground, particularly the cyber security division, they are now able to come out with more authority and respect in working with the security community,” James said.
He added that the companies behind the task force — whose software has been the target of increasing numbers of attacks resulting from worms and other security compromises — know what it takes to make their software more secure.
Government Involvement Good
The NCSP also recommended adoption of an “incentives framework” that can be used by policymakers, developers and companies to develop effective strategies for securing software.
Ronn Bailey, CEO and CTO of Vanguard Integrity Professionals, launched a public-private partnership effort about a year ago and said that while he is not pleased with its progress so far, the recent task force recommendations could be beneficial.
“If government was going to do something, it would probably be helpful to create an international standard for security administration — the operational, working protocols, access control, logging and authentication — the real basic stuff,” Bailey told TechNewsWorld.
Wrong Investment?
Jim Kohlenberger, security advisor for task force member the Business Software Alliance, said that although industry is taking steps to improve network and software security, there is a role for government as well.
“At some time over the long run, government has an important role as convener in the process itself, just as it did here,” Kohlenberger told TechNewsWorld. “The public-private partnership is important because 95 percent of the infrastructure is owned by the private sector. They have a big role, and so does government.”
However, Gartner’s Stiennon warned that government involvement could slow the security response to ever-changing and advancing threats.
“Companies are losing money, losing faith and losing productivity because of lack of security,” he said, adding that companies actually can protect themselves with the variety of security technology available today. “It’s happening more and more — there will be lawsuits, there will be outages. We will slowly evolve and get more secure.
“If government ever dictates to anyone how to secure themselves, we will be making the wrong investment,” Stiennon added. “Threat legislation is never going to be fast enough to counter the evolution of threats.”
For his part, CA’s Moritz told TechNewsWorld that while education and training of both new and veteran software developers is key to the group’s goals, government has a history of working with industry and academia on such initiatives.
“That is a great role for government along with academia and business,” he told TechNewsWorld. “That’s a great national mission, and government is good at doing national missions.”