New Industry Group to Pen Bug-Reporting Standards
An unlikely alliance of vendors and security consultancies aims to release draft guidelines early next year for handling newly discovered security flaws
The Organization for Internet Safety (OIS), which officially announced its formation today, aims to establish a best practices list by early 2003.
Founding members include: @stake, BindView, Caldera International (The SCO Group), Foundstone, Guardent, Internet Security Systems, Microsoft, Network Associates, Oracle, SGI and Symantec.
The organization, first floated by @Stake and Microsoft execs, has already written its charter and bylaws and expects to release drafts of standards for public review early next year. It is a volunteer group with no dues and no offices or full-time staff.
The presence of Microsoft may raise eyebrows among the developer community, given its reputation for releasing software later found to have security holes.
Just this morning the company said a FrontPage extention tool known as a SmartHTML interpreter has a flaw that could leave it vulnerable to denial-of-service attack or run the code of their choice their servers.
"Every piece of non-trivial software has some flaw," said Scott Blake, a spokesman for the group. "Nobody is without blame, and there are quite a few other (software firms) involved. We are all trying to work together."
Blake added that the relationship between security consultantcies and vendors has also improved recently.
John Pescatore, vice president for Internet security at IT research firm Gartner, supported the initiative.
"It's increasingly critical - to our critical infrastructure as well as to individual computer users - that security vulnerabilities be avoided when developing software, but where they occur they need to be found and eliminated as effectively as possible," Pescatore said. "Industry-consensus processes are a needed step toward making this happen."