Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, April 18, 2006

Software insecurity: Plenty of blame to go around

A free-wheeling debate on software security at the 2006 International Conference on Network Security in Reston today came to no clear consensus on responsibility for the disappointing quality of software.  On the other hand, it was agreed that federal security certification programs could serve as models for improving private sector IT security.  One audience member criticized the security and development communities for focusing on clever tricks for solving problems and deplored the lack of due diligence by organizations in designing networks and deploying software.  Stuart Katzke of the National Institute of Standards and Technology said that standards and guidelines developed by NIST could help provide that methodology.  He said the suite of documents produced for the Federal Information Security Management Act effectively establish a level of due diligence for government IT systems.

Development of the standards and supporting guidelines are the first phase of FISMA implementation, he said.  “We’re completing the last document now,” Katzke said.

NIST has begun the second phase of implementation, which is an accreditation program for security assessment providers.  A third phase, development of a system to validate FISMA compliance tools, is “out in the future.”

Keith Beatty of Science Applications International Corp. went out on a limb by praising the oft-criticized Common Criteria program operated by NIST and the National Security Agency.  “You don’t get your evaluation before the product goes out the door,” one person said.

One person said the Common Criteria evaluation was not worth the $150,000 “entry fee” a vendor could expect to pay unless the vendor had a government contract in hand that would justify the process.

Posted on 04/18