A high-powered cybersecurity task force says software vendors must adopt patch management principles to ensure security patches are well-tested, small, localized, reversible and easy to install.
The National Cyber Security Partnership (NCSP), a public-private task force that includes participation from the Business Software Alliance (BSA), issued its recommendations in a 123-page report (PDF file http://www.cyberpartnership.org/SDLCFULL.pdf) aimed at improving security across the software development lifecycle.
The NCSP made four key recommendations in its report, calling for an improvement in the education of software developers, the development of best practices to make sure security is at the core of the software design process, the adoption of guiding principles for patch management and the creation of an “incentives framework” for policymakers and developers.
The task force, which is co-chaired by Microsoft chief security strategist Scott Charney, proposed the creation of a new initiative to put security at the heart of software development programs at the university level.
The report recommends that four sub-groups be created to focus on tightening Internet security in the face of a barrage of overt attacks by malicious hackers targeting software flaws.
Initially, the group’s Education sub-group insisted that security should be a key subject area in software development programs in schools.
In the long term, the NCSP’s “Patching” sub-group defined steps to help make that the patching process simple, easy, and reliable.
The group called for the adoption of a “top-ten” list of best practices to ensure vulnerability patches are properly tested and simple to install.
“Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods,” the group said.