Got any ideas on how to improve the Organization for Internet Safety's guidelines for reporting and responding...
to software security flaws? If so, the group wants to hear from you in the next 30 days.
The OIS -- an alliance of IT vendors and analysts formed in 2002 to develop a standard approach to handle security vulnerabilities -- has started an annual review of the guide it first released last summer.
The guide is essentially a code of conduct between vendors and analysts. It's designed to ensure vendors respond to a researcher's notification of a software vulnerability within days and attempt to create a patch within a month; and that researchers give vendors time to make fixes available before releasing details of the flaw. Since its release, OIS has been asked to shorten and streamline the guidelines and ensure they are consistent with the recommendations made by several public-private partnerships, said Scott Blake, a member of OIS and vice president of information security at Houston-based software company BindView Corp.
"Some vendors say our recommendations are too strict while some analysts say they are too loose," Blake said. "Hopefully, that means we're striking a good balance." He also hopes the proposed 2004 edition addresses the feedback OIS has already received. A draft of the 2004 guidelines is now out, and the final version is scheduled to come out in mid-July.
In a press release, OIS said it will also "begin proactive outreach to solicit comments from experts in the vendor and security researcher communities." By conducting yearly public reviews, the organization "hopes to ensure that the guidelines remain useful and relevant to the security community and, most importantly, to the millions of computer users who are the ultimate beneficiaries of effective computer security practices."
Blake said the 2003 guide has been well received in the IT community.
"We've seen a lot of companies that may not be officially adopting the guidelines, but are using them without making a lot of noise," Blake said. "Sun and Cisco are not in our organization, but if you look up their policies, they are fairly similar to ours."
Groups officially endorsing the guidelines include the National Cyber Security Partnership Task Force. In a recent report titled "Improving Security Across the Software Development Lifecycle," the task force said, "OIS has drafted a set of voluntary guidelines for behavior that promotes greater cooperation, predictability and accountability than is generally existant today. Broad adoption of these guidelines would lead to more effective interactions and result in more rapid and effective response to identified vulnerabilities."
OIS member companies include @stake, BindView Corp., Foundstone, Internet Security Systems Inc., Microsoft Corp., Network Associates Inc. (which just changed its name to McAfee), Oracle Corp., The SCO Group, SGI and Symantec.