The National Cyber Security Partnership today announced its recommendations to make cyberspace safer, including...
common configurations among software vendors and source code security testing.
The recommendations, though voluntary, are seen by some in the security industry as a strong step toward more secure systems.
This report "contains some of the most illuminating and useful information ever published by the vendor community," said Alan Paller, director of the Bethesda, Md.-based SANS Institute. "For the first time, the vendors have defined the most important security errors they have made and continue to make. These are fundamental errors that are causing high cost for users. The admission that the vendors are making such mistakes, and that the mistakes must be corrected, are the essential first steps in improving cybersecurity in America."
Experts from industry, government and academia spent four months hammering a set of common criteria which they hope will help customers make better IT purchases and provide tighter security in the next generation of software products.
The Corporate Governance Task Force was set up in December in response to the President's National Strategy to Secure Cyberspace.
Citing Benjamin Franklin, Mary Ann Davidson, Oracle chief security officer, said, "We must all hang together, or assuredly we shall all hang separately.
"It's time this industry got ahead of cyberthreats [and] addressed security issues directly before government gets involved," said Davidson, who is also a cofounder of the partnership.
The National Cyber Security Partnership (NCSP) made recommendations in five key areas: common configuration; research and development; technical standards; product architecture; and the use of National Information Assurance Partnership metrics.
Often, holes in insecure software are first identified by hackers; the flaws are then corrected by patches. Or corporations are forced to pay third-party security companies to make the product safe. "This must change," said Davidson. "When you buy a car you don't have to pay the car company to flip a bunch of switches to make the breaks work."
The report recommends that security products from disparate software vendors be based on common configuration standards. For example, firewalls from different vendors often include different features; the industry needs to define what features should be standard.
The committee recommended that the industry create software that tests source code security. "Finding all buffer overflow problems before software products ship would reduce the amount of common vulnerabilities exploited by hackers by more than 50%," said Davidson.
Such tools would need to be scalable, to scan upward of five million lines of code, to be able to find weaknesses without producing too many false positives or false negatives, and be equally adept at scanning object code and source code.
The partnership's technical standards working group has suggested that the government require a vulnerability analysis of each product to root out more flaws. And makes recommendations for the configuration and patching of software for different groups of users such as government, home, and specific sectors like healthcare and finance, and education.
The task force report recommends that vendors devise more realistic security testing of their products in real-world situations; that they take a more proactive role in the development of product security recommendations; and provide more substantive security recommendations, configuration checklists, best practices, assumptions, dependencies and considerations in their product documentation.
Among other recommendations were developing baseline security recommendations that apply to all user communities or environments, making every attempt to ensure that products that are configured in accordance with their security configuration recommendations are left in a vendor-supported state, and making secure by default a product release requirement.
The group suggested that products be evaluated, tested and graded by approved institutions licensed by the National Institute of Standards and Technology (NIST) so that consumers can make apples for apples product comparisons.
"Smart buyers move markets," said Chris Klaus, cofounder of the National Cyber Security Partnership and CEO of Internet Security Systems. "Government and large corporations can encourage software vendors to produce more secure software by their purchasing decisions."