A group formed by the software industry last December has released its first recommendations in a far-reaching plan to improve the security of software development - and ward off government legislation mandating better software security.

The report, at over 100 pages, was published on Thursday by a task force of the National Cyber Security Partnership (NCSP), which counts as members most major software companies, as well as industry experts, US government agencies and academics. Security should be promoted at every stage of the software development cycle, the report said, including security-oriented university training, creating best practices for secure software design, better-organised patch management, and creating incentives for public- and private-sector organisations to build more secure systems.

The report is one of five released by the NCSP in March and early April. Reports on security awareness, for home users and small businesses, and a workable cybersecurity warning system, arrived in mid-March. Two more, covering technical standards and making boardrooms more responsible for IT security, will appear in the next few days.

The NCSP was formed last December at the US' first National Cyber Security Summit in an effort to convince US legislators to keep their hands off private industry - which operates 85 percent of the US' critical infrastructure, yet faces far less stringent legal security requirements than the public sector. The imminent threat late last year was a US bill that would have required companies to add the results of a security audit to their publicly-disclosed Securities and Exchange Commission (SEC) filings.

Efforts are also being made in the EU to hold organisations accountable for their internal security, but these have tended to be tied to accounting-practices legislation.

Yet the report allows that, in some cases, limited government regulation may be needed to ensure software security. The report said systems running important infrastructure, such as banks, telephone networks and water pipelines, "may require a greater level of security than the market will provide". Even in those cases, the NCSP report argues only for "appropriate and tailored government action that interferes with market innovation on security as little as possible".

Specific recommendations included:

  • Creating a dozen academic fellowships in US universities, funded by at least $12 million (£6.3m) in public and private funds, to improve security training for software engineers and creating a software security certification accreditation programme
  • Establishing a set of best practices for software patches, to ensure they're well-tested, small, localised, reversible and easy to install
  • Offering bounties for information leading to the conviction of virus writers and hackers.

The task force emphasised that security is an ongoing process. "Software security is a serious, long-term multifaceted problem that requires multiple solutions and the application of resources through the development lifecycle," said Microsoft chief security strategist Scott Charney, co-chair of the task force. Ron Moritz, chief security strategist for Computer Associates, also co-chaired, with the Business Software Alliance helping to organise the group.

A wave of legislative interest in IT security has followed the terrorist attacks on the US in 2001 and the accounting scandals of Enron, WorldCom and others, according to industry observers, but some experts argue security-oriented laws are going too far. "Governments are producing far too much (security) legislation, at the moment, on an EU and a national basis," said analyst Fran Howarth with Bloor Research.

She argued that Sarbanes-Oxley financial reform legislation coming into force in the US, similar laws now being sent toward the EU level in Europe, UK companies law and the EU's Basel II legislation covering financial institutions were likely to have the needed effect on security. "The provisions they contain are going to force companies to put adequate security measures in. Nothing further is needed," she said.