A free-wheeling debate on software security at the 2006 International Conference on Network Security in Reston today came to no clear consensus on responsibility for the disappointing quality of software. On the other hand, it was agreed that federal security certification programs could serve as models for improving private sector IT security. One audience member criticized the security and development communities for focusing on clever tricks for solving problems and deplored the lack of due diligence by organizations in designing networks and deploying software. Stuart Katzke of the National Institute of Standards and Technology said that standards and guidelines developed by NIST could help provide that methodology. He said the suite of documents produced for the Federal Information Security Management Act effectively establish a level of due diligence for government IT systems.