U.S. security plan more a dream than a reality
U.S. security plan more a dream than a reality
The National Cyber Security Partnership has announced plans in the U.S. to make cyberspace safer, but MessageLabs in Australia claims that these ideas could be impractical to incorporate with all vendors.
The voluntary recommendations include common configurations among software vendors and source code security testing.
These were drawn up after experts from the industry, government and academia spent four months working out shared requirements to help customers make better IT purchases and experiences tighter security in the next wave of software products.
The key areas of the recommendations include: common configuration; research and development; technical standards; products architecture; and the use of National Information Assurance Partnership metrics.
The ideas are hoped to prevent hackers from infiltration vulnerable software systems. Some companies avoid this by paying third-party security companies to protect the product, but the task force wants the vendors to make more responsibility.
But David Banes, from MessageLabs, claims that the Vendors have to many vested interests to really meet standardisation. "There is a need for this increased security program to work, but it is too much of a big job, and I don't think it is practical. What you are essentially doing is asking Vendors to rebuild and put in new systems and processes.
"The idea is too big to meet the reality. Microsoft is making a big push to improve its level of security by standardising its different systems. But most big vendors are guilty of adapting standardisation to suit their environment. They tend to do what is best for their business instead of what is best for the industry as a whole."
An example of one of these mammoth tasks is the suggestion by the partnerships' technical standards working group that the government should require the configuration and patching of software for different groups of users such as government, home, and specific sectors like healthcare, finance and education.
It also recommends that vendors take more of a proactive role in the development of product security recommendations, configuration checklists, best practices, assumptions, dependencies and considerations in their product documentation.
In addition it suggested that evaluations and tests were made by approved institutions licensed by the National Institute of Standards and Technology.
We will just have to wait and see if the vendors take up the challenge to deliver these security needs to its customers.
Related Article: