ISVS Seek Federal Security Help

Industry asks DHS to mull intervention.

After years of imploring government officials to stay out of their way, some security industry executives have reversed their position and are asking for Washingtons input to improve software quality and network security. How serious they would be about following government suggestions or rules, however, is in doubt, experts say.

The accession is part of a massive set of recommendations released last week by an organization called Improving Security Across the Software Development Lifecycle, a group of industry executives and security experts from government agencies and academia that reports to the NCSP (National Cyber Security Partnership).

One of the key recommendations is that the Department of Homeland Security "examine whether tailored government action is necessary to increase security across the software development life cycle." However, this request is at odds with the position many in the industry—including some of the groups key members—have taken for years.

Software providers such as Microsoft Corp., Oracle Corp. and others have maintained that there is no way to legislate security and that the government lacks the technical expertise to understand the problems.

"These vendors have no clothes on this topic," said Alan Paller, director of research at The SANS Institute, in Bethesda, Md. "They ask for government direction only after everything else has failed."

For enterprises, the task forces recommendations will likely have little short-term effect. But in the long run, better-trained developers should produce better software with fewer vulnerabilities, leading to more secure networks.

The software development report is the third to come out of the NCSP. Two other reports are due later this spring. Among the other recommendations in the report is a call for more specific funding of computer security education and research efforts at the undergraduate and graduate levels. It also calls for the tracking and certifying of effective secure coding processes developed by ISVs or other organizations.