Software Task Force Urges Security Upgrades

A national task force that includes major software companies such as Computer Associates, Hewlett-Packard, and Microsoft took the unexpected position that government regulation, in certain circumstances, may be required to induce the software industry to develop more-secure applications.

The Software Lifecycle Taskforce was formed in December and was charged with developing ways to reduce and manage the software vulnerabilities that make many hacker and worm attacks possible. The task force wrote in its 120-plus-page report, issued Thursday, that while market forces are working to help improve secure application development, much more may need to be done to secure critical infrastructures. "It is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide," the report says.

However, the report also says any government action should interfere with market innovation "as little as possible" and that the Department of Homeland Security and its National Cybersecurity Division should work with industry to explore whether a security gap will exist in the future for the critical infrastructure. The report also recommended ways to fill a potential gap should be examined, which include software "liability and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education, and other incentives proposed in this report."

However, Ron Moritz, senior VP and chief security strategist at Computer Associates, who co-chaired the task force with Scott Charney of Microsoft, downplayed the potential of any pending legislation. "There are no recommendations for regulation at this particular time," Moritz says.

Moritz adds that government and industry need to tread lightly when it comes to any legislation. "We haven't done sufficient studies to know what impact legislation could have on the industry," he says. "What impact would software liability laws have on small software vendors or the open-source community?"

The report recommends the issue of regulation be studied next year.

Others would like to see more immediate and tangible actions. John Pescatore, VP and research fellow at research firm Gartner, says the government should quickly start to use its purchasing power to drive the development of more-secure applications. "Government services need just as secure software as the power, communications, banks--government services are critical infrastructure," he says. "If they start buying more-secure software and Internet services now for government use, by 2006 that will have had much more impact than a study in 2005."

Alan Paller, director of research at the SANS Institute, a cooperative research and educational organization, agrees. "There is no discussion of using federal buying power to ensure software vendors meet reasonable standards," he says. "There's no discussion of removing antitrust limitations so buyers in critical infrastructure can work together to provide incentives for software suppliers to do a better job."

"We welcome the debate, and after only four months of work it is premature to move forward with some of these recommendations," Mortiz says.

Other recommendations in the report include:

• Improving the education of current and future software developers, including creation of an initiative to make security a core component of software-development programs at the university level and a Software Security Certification Accreditation Program.

• Developing best practices for putting security at the heart of the software-design process.

• Adopting a set of "Guiding Principles For Patch Management" to ensure that patches are well-tested, small, localized, reversible, and easy to install.

• Adopting an "Incentives Framework" that policy makers, developers, companies, and others can use to develop effective strategies and incentives for making software more secure.

Pete Lindstrom, research director at Spire Security, sums up the frustration many security professionals have with the slow progress toward securing critical infrastructure. "They're not telling us something we already didn't know," he says. "We're wallowing in the mire, and at some point someone has to do something."