The computer industry and the federal government alike need to greatly improve their efforts to reduce the vulnerability of the nations networks, beginning with a major shift in the way software and hardware are built and sold, according to a federal report due out this week.
The report, written by a task force from the National Cyber Security Partnership, lays out dozens of recommendations for overhauling the way vendors build and sell their products and the process the government uses to evaluate them for compliance with technical standards.
This is the fifth and final task force report from the NCSP, a group of government officials and industry executives formed last year to help implement the Presidents National Strategy to Secure Cyberspace.
The reports main thrust is an effort to improve and expand the governments Common Criteria process so that it becomes a more recognizable certification, something akin to a seal of approval.
The task force is also asking that the government help pick up the tab for the certification process—which can cost millions of dollars—in the form of tax credits for research and development or direct payment of some evaluation costs.
“We would like [Common Criteria certification] to be table stakes,” said Mary Ann Davidson, chief security officer of Oracle Corp., in Redwood Shores, Calif., and co-chair of the Technical Standards and Common Criteria Task Force of the NCSP. “It would be a seal that customers can see so they know that the vendor built this product with security in mind. The government is starting to use this as part of the procurement process.”
The Common Criteria certification program is overseen by the National Institute of Standards and Technology and the National Security Agency under the National Information Assurance Partnership umbrella. There are several levels of certification, and the process is open to most hardware and software products, not just security offerings.
Specifically, the task force is recommending that NIAP develop “protection profiles” for a larger number of products so that vendors know exactly how to build their products to meet NIAPs standards. Currently, there are only a handful of protection profiles, many of which are classified. The report also encourages the government to require a vulnerability analysis of each product, even at the lowest certification levels, as a way to root out more flaws.
In a similar vein, the task force asks the government to fund research into better code-scanning tools that would help vendors find coding errors before their products make it to market.
Any major changes to the Common Criteria process could have a profound effect on the way vendors build their products because several federal agencies have begun using the evaluations as part of their purchasing process, giving certified products a leg up. In addition, if the certification eventually gains more credibility and understanding among enterprise customers, it could become a competitive advantage for vendors.
“It could become a de facto Underwriters Laboratory [Underwriters Laboratories Inc.] seal. The intention is to make assurance something that every vendor does,” said Chris Klaus, chief technology officer of Internet Security Systems Inc., in Atlanta, and co-chair of the task force. “People can always ask for more, but you have to start somewhere. The vendors want this to be widespread.”
“I think an industry standard for security is long overdue,” said Patrick Flannigan, IT administrator at CFS Mortgage Corp., in Phoenix. “Id relate it to the UL seal of approval on electrical appliances. I wouldnt buy one without it. [The government and vendors should] publicize it so that IT folks and the general public are aware of it. That acceptance would motivate manufacturers to ensure [products] meet as high a standard as possible, raising the overall average level of security in computing.”
The task force also wants NIAP to make the evaluation process more accessible and easier to complete so that smaller vendors with fewer resources can take advantage of it. One major problem with the testing process is the relatively small number of labs that are certified to do Common Criteria evaluations.
“It takes too long and costs too much money, but NIST doesnt have the money for any more labs,” said Oracles Davidson. “There needs to be some more allocated for that.”
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: