[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Feds, Oracle team up to boost security
From:       InfoSec News <isn () c4i ! org>
Date:       2003-09-23 15:01:03
[Download RAW message or body]

http://www.computerworld.com/securitytopics/security/story/0,10801,85202,00.html

Story by Jaikumar Vijayan
SEPTEMBER 19, 2003
COMPUTERWORLD 

Five federal agencies, in collaboration with the Center for Internet
Security and Oracle Corp., tomorrow will announce a broad federal
procurement initiative to improve software security.
 
Under the initiative, software vendors will have to ensure that their
software meets specific safe configuration requirements and that any
fixes they provide to patch vulnerabilities are reliable and won’t
compromise these configurations.

The idea behind the initiative is to use the federal government’s
purchasing power to make software vendors accept more responsibility
for the security of their software, said Alan Paller, director of the
SANS Institute, a Bethesda, Md.-based security research firm.

The initiative was prompted by the growing problems users face because
of unsafe software configurations, he said, adding that software
vendors will be required to ensure that default settings are secure to
avoid problems later on.

The federal government recently launched a procurement program called
SmartBuy, which it hopes will drive better pricing and contractual
terms from software vendors by consolidating purchases. SmartBuy will
allow federal agencies to negotiate tougher terms relating to
security, Paller said. The initiative being announced Tuesday is an
example of that tougher stance.

“This is about partnering with vendors so that they take
responsibility” for software security, Paller said. He added that he
expects the federal initiative to set a model for software procurement
in the private sector as well.

Karen Evans, CIO of the U.S. Department of Energy who was recently
named by President Bush to head all e-government initiatives, will
announce the first contract to be signed under the initiative.

The contract will demonstrate “a new way for government to purchase
software with security built in,” according to a press alert from the
CIS, which is organizing the event.

The other federal agencies participating in the announcement are the
U.S. Department of Homeland Security, the National Security Agency,
the Defense Information Systems Agency and the U.S. General Services
Administration. Also involved in the announcement are approximately
120 CIOs and security specialists from government and industry.

Sources familiar with the announcement confirmed Oracle’s involvement
in the initiative. An Oracle spokeswoman today declined to comment.

CIS Vice President Bert Miuccio said the initiative builds on a
CIS-led effort last year involving the creation of benchmark security
standards for Windows 2000 professionals. That effort focused on
creating a checklist of security settings for Windows 2000 systems
that vendors could use when shipping systems to users.

Last year’s initiative was backed by several government agencies,
including NSA, DISA and the National Institute of Standards and
Technology. The scope of Tuesday's announcement is significantly
broader, Miuccio said.

Dan Verton contributed to this story.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]