FOR ADDITIONAL INFORMATION:
Clausing, 202-530-5127, [email protected]
Computer Associates: Nicole Keating, 202-973-4788, [email protected]
Microsoft: Jenny Murphy, 202- 337-0808, [email protected]
NCSP: Doug McGinn, 202-715-1558, [email protected]
Cyber Security Partnership Task Force
Report on Security Across the Software Development Lifecycle
D.C., April 1, 2004 – A task force of security
technology experts, academics and business and government
officials today released its first round of recommendations
for improving software security (www.cyberpartnership.org/init-soft.html).
In a 100-plus page report that takes the first in-depth look
at improving security across the software development lifecycle,
the task force of the National Cyber Security Partnership
(NCSP) issued preliminary recommendations and agreed on a
number of areas to focus its future efforts.
"Software security is a serious, long-term multifaceted
problem that requires multiple solutions and the application
through the development lifecycle," said task force
Co-Chair Scott Charney, chief security strategist for Microsoft. "There
is no silver bullet for making software secure. But we are
pleased that so many people dedicated their time to delving
into this very complicated area to begin formulating solid
recommendations for improving software security at all levels
in the future."
"The task force has taken important steps forward in
the long road toward implementing key components of the National
to Secure Cyberspace," said task force Co-Chair Ron
Moritz, chief security strategist for Computer Associates. "By
helping to improve research, education, software development
and the processes by which patches are distributed and managed,
these initiatives will further augment the economic value
and social benefits that software delivers—while making
the global digital environment significantly more secure."
The report makes four key recommendations:
the education of current and future software developers,
including creation of a new initiative to make security
a core component of software development programs at
level, and a Software Security
best practices for putting security at the heart of
the software design
a set of "Guiding Principles
for Patch Management" to
ensure patches are well-tested, small, localized,
reversible and easy to install.
an "Incentives Framework" that
policymakers, developers, companies and others can use to develop
effective strategies and incentives for making software more secure.
task force, "Improving Security Across the Software
Development Lifecycle" was co-chaired
by Charney and Moritz. The Business Software Alliance served as secretariat
for the group, which also included members
from a broad range of backgrounds, including
universities, the government, security
consultants, think tanks, associations and
the private sector.
The National Cyber Security Partnership (www.cyberpartnership.org)
is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and
the U.S. Chamber of Commerce in voluntary partnership
with academicians, CEOs, federal government agencies,
and industry experts. Following the release of the 2003 White House National
Strategy to Secure Cyberspace and the National Cyber Security Summit,
the public-private partnership was established to develop
shared strategies and programs to better secure and enhance
America’s critical information infrastructure. The
task forces will be releasing separate work products beginning
in March 2004 and ending in April 2004.
The Business Software Alliance (www.bsa.org) is the foremost
organization dedicated to promoting a safe and legal
digital world. The BSA is the voice of the world's software
Internet industry before governments and with consumers
in the international
marketplace. Its members represent one of the fastest
growing industries in the world. BSA educates computer
software copyrights and cyber security; advocates public
fosters innovation and expands trade opportunities; and
fights software piracy. BSA members include Adobe, Apple,
Avid, Bentley Systems, Borland, Cisco Systems, CNC Software/Mastercam,
HP, IBM, Intel, Internet Security Systems, Intuit, Macromedia,
Microsoft, Network Associates, PeopleSoft, RSA Security,
SolidWorks, Sybase, Symantec, UGS PLM Solutions Inc.
and VERITAS Software.