Security News Letter

April 5th, 2004

 
 
   Download ZoneAlarm Pro

 Download ZoneAlarm Pro Here

Download eEye's Retina Vulnerability Scanner Here
 Jumpline.com VDS Web Hosting

 

 Kaspersky Anti-Virus: Install & Feel Safe!

Programmers told to put security over creativity

By Robert Lemos
Staff Writer, CNET News.com
Story last modified April 1, 2004, 4:07 PM PST

Certification for programmers, better education and even new laws are needed to improve software security, stated a report published Thursday by a coalition of corporate security experts, academic researchers and government agencies.
The report--the third of five expected to be published in March and April by the National Cyber Security Partnership--proposes changes to education, software development and patching as well as incentives to convince software makers to improve the security of their wares.

The broad swath of initiatives is needed to help companies improve the quality of their software, said Scott Charney, chief security strategist for Microsoft and co-chairman of the Security Across the Software Development Life Cycle Task Force.
"There is no silver bullet for making software secure," he said in a statement.

Established late last year, the National Cyber Security Partnership brings together security experts from the private, academic and public sectors in attempt to improve security. The members divided the organization into five working groups to focus on specific problem areas: creating awareness in home computer users and small businesses; establishing a cybersecurity early warning system; making information security part of corporate governance; advocating technical best practices for security; and pushing security improvements into the software development process.

Two other groups--the Awareness and Outreach Task Force and the Cyber Security Early Warning Task Force--released their reports in late March.

The Security Across the Software Development Life Cycle Task Force published Thursday's report. That working group split its recommendations into education initiatives, software development improvements, a list of the top 10 patching prescriptions, and incentives to spur companies into adopting the recommendations.

As part of the education initiatives, the working group advised the government to create more programs to train computer-science professors and graduates in security. Moreover, certification would be a must, said Jim Cohlenberger, security advisor for the Business Software Alliance, which acted as the administrative organization for the working group.

"There are certifications today that are more for IT administrators, but this is geared toward software developers," Cohlenberger said.

The proposal likely means that future software programmers would have to pay to gain the credentials necessary to work for companies that make the most popular applications.

The task force also called for studies of the process of developing software to find out which methods result in programs with the least vulnerabilities. In the end, the report recommends, those development processes that result in the best software should be taught to programmers and certified by the government.

The working group also produced a list of the top 10 patching practices, urging companies to make sure that any updates to existing software follow the prescriptions. The recommendations ask for companies to thoroughly test their patches, shrink the size of the updates, make them easy to install, and ensure that any installation can be reversed in case of problems.

Finally, the group advised the partnership to create incentives for companies to adopt the new software development processes. The initiatives include recommendations for making the security of software a job-performance factor for programmers, and for creating awards for the best development practices and for innovative educators in security. Moreover, the task force called for a broad reward program for information leading to the conviction of cybercriminals.

Government action?
Perhaps the most surprising recommendation is that government study the effectiveness of tailored government action to increase security. The Department of Homeland Security should examine "such options as liability, and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education, and other incentives," the report said.

That may sound like a call for legislation, but the BSA's Cohlenberger would only speak in general terms about the aim of such a proposal.

"For critical infrastructure and similar areas, we have to see if there is a security gap between what we need for national security and what is currently out there," he said. If there is such a gap, then "action" by the government may be in order.

The task force recommendations come four months after industry and government officials met to discuss how a partnership could improve the nation's overall cybersecurity, and more than a year after the Bush administration released the final draft of the National Strategy to Secure Cyberspace.

Some security experts criticized the proposals as a way for companies to dodge any responsibility for the morass of security issues that plague firms and people on the Internet, a charge similar to that leveled against the National Strategy to Secure Cyberspace, which recommends that each Internet participant learn to secure his or her portion of the online domain.

The report can be found on the National Cyber Security Partnership's Web site.

 

 

 

Security Products:

HIPAA Step by Step Training

April 20th and 22nd in Hoffman Estates and Naperville

 

 

PestPatrol is a powerful security and personal privacy tool that detects and eliminates destructive pests like trojans, spyware, adware and hacker tools. It complements your anti-virus and firewall software, extending your protection against non-viral malicious software that can evade your existing security and invade your personal privacy. These pests often lurk silently on your computer until something – or someone – sets them off. When that happens, you could lose passwords, personal data, credit card numbers, and - if you telecommute and connect to your office via a VPN - open up a back door for the hacker into your entire company network. Click here for Pest Patrol

 

Intrusion Detection Systems

bulletIntruvert

Vulnerability Scanners

bullet

eEye's Retina

Firewalls

bulletNetscreen
bulletCheckpoint

Management

bulletSolarWinds

Virus Control

bulletMail Marshall

Services

bulletSecurity audit
bulletPerimeter Vulnerability Scan
bulletRouter/ switch optimization for security
bulletFirewall checking and configuration
bulletVPN Design and Implementation
bulletNetwork design
bulletnetwork based application analysis
bulletNetwork Baselining
bulletSecurity baselining

 

 
  BlackICE PC Protection

This mailing has been performed by Aavex Technology Corporation
42w588 Still Meadows Lane, Elburn IL 60119 USA,  630-365-0025 in compliance with the "CAN-SPAM Act of 2003",  approved and signed by the president of The United States of America on Dec. 16, 2003. For this reason, this email cannot be considered SPAM This newsletter contains commercial advertisement.

 

  

Copyright © 2004 Aavex Technology