Certification, education, strict development models and limited legislation are needed to make programs more secure, says a report from security firms and software makers.
The report--the third of five expected to be published in March and April by the National Cyber Security Partnership--proposes changes to education, software development and patching as well as incentives to convince software makers to improve the security of their wares.
The broad swath of initiatives is needed to help companies improve the quality of their software, said Scott Charney, chief security strategist for Microsoft and co-chairman of the Security Across the Software Development Life Cycle Task Force.
"There is no silver bullet for making software secure," he said in a statement.
Established late last year, the National Cyber Security Partnership brings together security experts from the private, academic and public sectors in attempt to improve security. The members divided the organization into five working groups to focus on specific problem areas: creating awareness in home computer users and small businesses; establishing a cybersecurity early warning system; making information security part of corporate governance; advocating technical best practices for security; and pushing security improvements into the software development process.
Two other groups--the Awareness and Outreach Task Force and the Cyber Security Early Warning Task Force--released their reports in late March.
The Security Across the Software Development Life Cycle Task Force published Thursday's report. That working group split its recommendations into education initiatives, software development improvements, a list of the top 10 patching prescriptions, and incentives to spur companies into adopting the recommendations.
As part of the education initiatives, the working group advised the government to create more programs to train computer-science professors and graduates in security. Moreover, certification would be a must, said Jim Cohlenberger, security advisor for the Business Software Alliance, which acted as the administrative organization for the working group.
"There are certifications today that are more for IT administrators, but this is geared toward software developers," Cohlenberger said.
The proposal likely means that future software programmers would have to pay to gain the credentials necessary to work for companies that make the most popular applications.
The task force also called for studies of the process of developing software to find out which methods result in programs with the least vulnerabilities. In the end, the report recommends, those development processes that result in the best software should be taught to programmers and certified by the government.
The working group also produced a list of the top 10 patching practices, urging companies to make sure that any updates to existing software follow the prescriptions. The recommendations ask for companies to thoroughly test their patches, shrink the size of the updates, make them easy to install, and ensure that any installation can be reversed in case of problems.
Finally, the group advised the partnership to create incentives for companies to adopt the new software development processes. The initiatives include recommendations for making the security of software a job-performance factor for programmers, and for creating awards for the best development practices and for innovative educators in security. Moreover, the task force called for a broad reward program for information leading to the conviction of cybercriminals.
Perhaps the most surprising recommendation is that government study the effectiveness of tailored government action to increase security. The Department of Homeland Security should examine "such options as liability, and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education, and other incentives," the report said.
That may sound like a call for legislation, but the BSA's Cohlenberger would only speak in general terms about the aim of such a proposal.
"For critical infrastructure and similar areas, we have to see if there is a security gap between what we need for national security and what is currently out there," he said. If there is such a gap, then "action" by the government may be in order.
The task force recommendations come four months after industry and government officials met to discuss how a partnership could improve the nation's overall cybersecurity, and more than a year after the Bush administration released the final draft of the National Strategy to Secure Cyberspace.
Some security experts criticized the proposals as a way for companies to dodge any responsibility for the morass of security issues that plague firms and people on the Internet, a charge similar to that leveled against the National Strategy to Secure Cyberspace, which recommends that each Internet participant learn to secure his or her portion of the online domain.
The report can be found on the National Cyber Security Partnership's Web site.