Task force urges security collaboration

Report on Improving Security Across the Software Development Lifecycle

Related Links

Improving software security will demand a concerted effort from government, industry and higher education, said members of a national task force on software development in a report released today.

In a 100-page document, the security task force made four broad recommendations for improving software security. In most of them, members called for common knowledge to be applied where it is now given only lip service.

"As a software executive, the hardest thing to do is to look into the eyes of a team member who's been working for your company for 20 years and to say, 'You've been doing it wrong for 20 years,'" Ron Moritz, chief security strategist for Computer Associates International Inc. and a co-chairman of the task force, said in an interview. "But that's what we're doing now."

The task force defines secure software as software that preserves "the confidentiality, integrity and availability" of information. The report concluded that software security improvement requires:

Higher education to do a better job of teaching future software developers.

The software industry to make security an integral part of the design process.

Policymakers and others to create incentives that reward those who create secure software code.

And the software industry to come together on a common method of managing the process of patching software when insecurities are discovered.

Federal agencies and other organizations should carefully pick and choose which recommendations to focus on, Moritz said. "If you try to do everything, you'll probably get nothing done," he said.

The group also recommended more basic research on creating secure software. "The research process has slowed down and needs to be reenergized," Moritz said.

He cited Sun Microsystems Inc.'s Java language as a vast improvement over existing languages when it was created 10 years ago. It may be in the national interest to finance research on a language that goes even further than Java to help programmers write secure software, Moritz said.

Perhaps the harshest statement in the report came from the task force's educational subgroup: "If the United States is to progress beyond immature infrastructures created by amateurs, professionalism based on a sound university education is required."

Although the task force was not created to advise the Homeland Security Department, the report suggests a role for DHS in creating security metrics for the principal components of the United States' cyberinfrastructure and keeping track of progress in meeting those benchmarks.

"I see DHS as the project manager, as the key influencing body," Moritz said.

The task force was organized by the National Cyber Security Partnership, which includes the Business Software Alliance; the Information Technology Association of America; TechNet, a chief executive officers group; and the U.S. Chamber of Commerce. Among the partnership's members are academic, corporate, government and industry cybersecurity experts.

The task force developed its recommendations in response to the President's National Strategy to Secure Cyberspace.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.