Processes to Produce Secure Software
Gary fired off a message to SC-L pointing out that the National Cyber Security Partnership released a set of reports about the problems with software security today. Included was a report that he co-authored with Mike and a few others on the process of producing secure software.
The principal recommendations in this report are in three categories:
- Principal Short-term Recommendations
Principal Mid-term Recommendations
- Adopt software development processes that can measurably reduce software specification, design, and implementation defects.
- Producers should adopt practices for producing secure software
- Determine the effectiveness of available practices in measurably reducing software security vulnerabilities, and adopt the ones that work.
- The Department of Homeland Security should support USCERT, IT-ISAC, or other entities to work with software producers to determine the effectiveness of practices that reduce software security vulnerabilities.
Principal Long-Term Recommendations
- Establish a security verification and validation program to evaluate candidate software processes and practices for effectiveness in producing secure software.
- Industry and the DHS establish measurable annual security goals for the principal components of the US cyber infrastructure and track progress.
- Certify those processes demonstrated to be effective for producing secure software.
- Broaden the research into and the teaching of secure software processes and practices.
I took a quick look at it just at the end of lunch, and it looks pretty good. I will take a more thorough read of it this afternoon after I finish up on some threat modeling I am currently doing.
Posted by SilverStr at April 1, 2004 02:34 PM