My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Thursday, April 1, 2004
« MVP Global Summit bound.... | Main | Client, Service, and Program Incompatibi... »

Gary fired off a message to SC-L pointing out that the National Cyber Security Partnership released a set of reports about the problems with software security today. Included was a report [1] that he co-authored with Mike and a few others on the process of producing secure software.

The principal recommendations in this report are in three categories:

  1. Principal Short-term Recommendations
    • Adopt software development processes that can measurably reduce software specification, design, and implementation defects.
    • Producers should adopt practices for producing secure software
    • Determine the effectiveness of available practices in measurably reducing software security vulnerabilities, and adopt the ones that work.
    • The Department of Homeland Security should support USCERT, IT-ISAC, or other entities to work with software producers to determine the effectiveness of practices that reduce software security vulnerabilities.
  2. Principal Mid-term Recommendations
    • Establish a security verification and validation program to evaluate candidate software processes and practices for effectiveness in producing secure software.
    • Industry and the DHS establish measurable annual security goals for the principal components of the US cyber infrastructure and track progress.
  3. Principal Long-Term Recommendations
    • Certify those processes demonstrated to be effective for producing secure software.
    • Broaden the research into and the teaching of secure software processes and practices.
Tags:: Security
4/1/2004 10:27 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.