IT vendors should improve default security settings in their products, a committee of the National Cyber Security Partnership Task Force (NCSP) has said in a set of recommendations it has released on technical standards.

The NCSP's Technical Standards and Common Criteria committee, along with academics, government officials, IT vendors and customers have asked vendors to provide stronger "out-of-the-box" security configurations.

The 104-page committee report [pdf] is intended to put more pressure on vendors about default security settings and raise awareness about best practices and security audits, said Mary Ann Davidson, chief security officer at Oracle, and co-chairwoman of the committee. "We're trying to change the dynamic to 'Vendors ought to do this'," she explained.

Earlier this month, we revealed how Windows machines will remain a security risk for years, in part due to vendors' failure to install the latest fixes and patches on new PCs before they sell them.

The committee, which worked on the recommendations for four months, actually revised its work to give the recommendations stronger wording, she said. Among the recommendations are that:

Vendors should provide more substantive security recommendations, configuration checklists and best practices to customers.

The US government, user groups and customers should encourage more independent security evaluations of IT products.

The US government should help offset the costs of an IT vendor going through a Common Criteria security evaluation through tax credits or other methods.

The US government should fund the development of code-scanning tools that detect flaws in software code.

But many of the recommendations place the responsibility for cybersecurity on vendors. "As an industry, we corporately need to do a better job of security infrastructure," Davidson said.

Davidson plans to take the recommendations, as well as others from NCSP, back to Oracle to see how her company can improve security, she said. "This is not done, we're not thinking, 'We've issued a report and we can go home'," she added. "Most of us want to take it to the next level and show concrete progress."

The National Cyber Security Partnership was established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure, following the release of the White House National Strategy to Secure Cyberspace in February 2003 and the National Cyber Security Summit in December.

The partnership is led by TechNet, the Business Software Alliance, the Information Technology Association of America and the US Chamber of Commerce.