HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

OSBC focus turns to best practices for open-source adoption
Businesses are no longer asking why they should adopt, but how do they use open source leg...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Process, Best Practices Are Best Defense

Government task force recommends ways to improve software security

By David Rubinstein

January 15, 2005 —

Education and training of software developers, as well as creating and sharing best practices for improving quality, are among recommendations made last month by the U.S. government-sponsored Security Across the Software Development Lifecycle task force for creating more secure applications.

The task force split into subgroups that reflect the issues involved, according to co-chair Ron Moritz of Computer Associates. In its executive summary, the task force said security is a research and education issue for universities, and involves skills, processes and testing for developers, requirements for software customers, and a patching issue for IT administrators.

“One of the key recommendations is to look at how we train engineers, and re-educating longtime practitioners,” Moritz said.

According to the summary, the education subgroup recommends that “software become a core component of software development programs at the university level with sufficient resources to build the academic capacity to improve secure software development.”

The group also recommends a certificate program for security professionals and supports creating software centers of excellence. Moritz added that one of the goals would be the funding of academic chairs at select universities in the area of secure software development.

Moritz said the group also advocates academic research into language design.

“The last major language introduced was Java,” said Moritz; the language was officially announced in May 1995. “It was an improvement over C++ in terms of security issues. But now, no faculty is researching software languages. Could a language be written that would ensure secure code?”

One subgroup urges the establishment of a security verification and validation program to evaluate different software development processes and practices for effectiveness in producing secure software.

A patching subgroup worked to define ways to make the process of patching simple and reliable, Moritz said. It developed guiding principles for patch management and recommended the adoption of a “top ten list” of best practices.

Another important area, according to Moritz, was finding ways to motivate developers to create more secure software, as well as disincentives for criminal and malicious behavior. “Problems come from executives pushing things into the market to provide a new service or product to stay ahead of the competition,” Moritz said. The incentives subgroup recommended making the security of software one measure of a developer’s job performance.

Moritz pointed out that the work of the task force is only a recommendation, adding, “I don’t think any of us think mandates are required or should be pursued.”

The National Cyber Security Division of the U.S. Department of Homeland Security could simply advise purchasing agents, CIOs and programmers to begin to implement the recommendations. He did say the department could stop doing business with vendors that fail to show that they’ve implemented the recommendations to write secure code.

With the departures of Tom Ridge as secretary of the Homeland Security Department and Amit Yoran as head of the National Cyber Security Division, Moritz admitted the initiative has momentarily stalled. But he added that similar initiatives to create and ensure secure software already are under way in the industry.

Share this link: http://www.sdtimes.com/link/28382

The Best Practices Are Those That Are Used The Internet is changing the way software is developed. Already, Web-based tools, platforms and portals have added a new dimension...

Pondering best agile practices Companies are still trying to find best practices for their own agile development implementations. Agile practitioners from FoxHedge, IBM and Serena Software give their ideas of what agile best practices are.

Microsoft joins Object Management Group Microsoft's entry into OMG shows a commitment to backing model-driven development. This change came after the announcement of its "Oslo" initiative, which is attempting to move model-driven development into the mainstream.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST