Processes to Produce Secure Software

Gary fired off a message to SC-L pointing out that the National Cyber Security Partnership released a set of reports about the problems with software security today. Included was a report that he co-authored with Mike and a few others on the process of producing secure software.

The principal recommendations in this report are in three categories:

1. Principal Short-term Recommendations
   • Adopt software development processes that can measurably reduce software specification, design, and implementation defects.
     
   • Producers should adopt practices for producing secure software
     
   • Determine the effectiveness of available practices in measurably reducing software security vulnerabilities, and adopt the ones that work.
     
   • The Department of Homeland Security should support USCERT, IT-ISAC, or other entities to work with software producers to determine the effectiveness of practices that reduce software security vulnerabilities.
2. Principal Mid-term Recommendations
   • Establish a security verification and validation program to evaluate candidate software processes and practices for effectiveness in producing secure software.
     
   • Industry and the DHS establish measurable annual security goals for the principal components of the US cyber infrastructure and track progress.
     
3. Principal Long-Term Recommendations
   • Certify those processes demonstrated to be effective for producing secure software.
     
   • Broaden the research into and the teaching of secure software processes and practices.

I took a quick look at it just at the end of lunch, and it looks pretty good. I will take a more thorough read of it this afternoon after I finish up on some threat modeling I am currently doing.

Happy reading!

Posted by SilverStr at April 1, 2004 02:34 PM | TrackBack