Domain: cyberpartnership.org
Stories and comments across the archive that link to cyberpartnership.org.
Comments · 5
-
Vendor-dominated security group issues bad reportThe "National Cyber Security Partnership" has issued a new report on computer security. It focuses on how vendors can avoid responsibility for the defects in their products. The report suggests that the government weaken the Common Criteria for evaluating software security to conform to "commercial reality". The report suggests that the Government, at taxpayer expense, develop "code scanning" tools usable on existing software, thus deferring any action by vendors. There's no suggestion that vendors be held responsible for security flaws, or that any major changes, either technical or in business models. are required by vendors.
Virus authors have nothing to worry about from this security group.
Some excerpts:
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
...In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process.
...In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
-
Re:Related
Insurance costs...could those be analogous to Microsoft's lobbying efforts again Open-Source software and their involvement in that security council?
-
They reccomend Government Licensing for developers
In section three of the full report there are reccomendations for education requirements for persons going into the IT and programming fields. These include a page long list of what seem to be innocuous and common sense requirements, but when this is coupled with the fact that it is Homeland Security being asked to implement the program, it adds up to background checks for anyone who wishes to learn to program, plus manditory (increasingly expensive) college education requirements.
The suggested requirements are extremely specific, and mostly are the kind of thing that programmers currently learn by doing or from both formal and informal mentoring. Taking this role out of the hands of the user groups and workplaces and placing it in the hands of the authors of standardized tests will not improve the quality of programming or security practices any more than the "No Child Left Behind Act" has improved the quality of public education in this country and will likely eliminate many of those who are capable of creating the next batch "best practices" by discouraging independant thinking, thus reducing most software authoring and administration practices to a set of "acceptable minimum requirements" that is dictated by government bureaucrats instead of determined by the combined expirience of the software community.
-
The endless irony of microsoft
I thought it quite ironic that in the 3 page brief they said,
"No simple silver bullets will solve the software security problem."
But truly, what is the most outstanding characteristic of a silver bullet? (aside from being silver of course). That they are expensive and nearly no one can afford them. No one, except perhaps Microsoft, who happens to be the co-chair of this 'task force'.
By getting the government to adopt this, isn't Microsoft essentially forwarding all of it's tech support trouble calls towards them? -
What's the fuss?
Sure, Microsoft and the BSA aren't the bosom buddies of most Slashdot readers. And for good reason. However, a quick look through the 3-page summary document revealed what seemed to be a reasonable plan of action, rather than a scheme for total world domination.
Of course, if it turns out that the outcome of the regulation process is Microsoft-controlled security protocols and procedures, then there's something to beef about. However, at this early stage I see nothing more than an attempt to codify a national stance on computer security. Accordingly, I'm going to leave my tinfoil hat in its box for the moment.