The more basic the better, security report recommends

A coalition of public- and private-sector organizations today called on hardware and software vendors to pay more attention to basic security in products for the public.

"The security-worthiness of software is essential to the protection of our nation's critical infrastructure," said Mary Ann Davidson, Oracle Corp.'s chief security officer and co-chairwoman of the task force that produced the report. "It is clear that to improve the security of deployed software, vendors are going to have to step up and provide customers with secure-by-default configurations."

The report, which focuses on technical standards and the government's Common Criteria program, is the final one in a series of reports from the National Cyber Security Partnership.

Among the chief suggestions, the report calls for making the Common Criteria program run by the National Information Assurance Partnership (NIAP) more user-friendly and economical for vendors.

The Homeland Security Department, the U.S. Chamber of Commerce, the IT Association of America, TechNet and the Business Software Alliance created NCSP at a conference in December.

Other NCSP task forces focused on security awareness of home users and small businesses, a cyberthreat warning system, security during the software development lifecycle and corporate governance. The most recent previous report, released earlier this month, called for more high-level management involvement in security oversight.

The latest report, like its predecessors, details voluntary recommendations. The 104-page document covers five broad areas:

  • Common configurations: Vendors need to produce better security documentation and release products with secure default configurations.


  • Research: The government should fund research in vulnerability analysis tools and require their use in software development.


  • Best practices and technical standards: Government and industry need to compile existing guidance on security management models.


  • Equipment deployment and architecture: Industry should develop a set of standards for designing and implementing secure networks.


  • Common Criteria: NIAP should make its international evaluation scheme more practical and cost-effective for vendors and increase demand for evaluated products.


NIAP, a joint program of the National Security Agency and the National Institute of Standards and Technology, runs the Common Criteria Evaluation and Validation Scheme for the United States.

The task force recommended that NIST receive $12 million immediately and an additional $6 million in subsequent years to develop protection profiles for nonclassified products, against which products can be evaluated.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.