New Industry Group to Pen Bug-Reporting Standards

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
A new industry group, founded by the unlikely alliance of vendors and security consultancies, is set on establishing guidelines for handling security problems with the goal of protecting Internet users.

The Organization for Internet Safety (OIS), which officially announced its formation today, aims to establish a best practices list by early 2003.

Founding members include: @stake, BindView, Caldera International (The SCO Group), Foundstone, Guardent, Internet Security Systems, Microsoft, Network Associates, Oracle, SGI and Symantec.

The organization, first floated by @Stake and Microsoft execs, has already written its charter and bylaws and expects to release drafts of standards for public review early next year. It is a volunteer group with no dues and no offices or full-time staff.

As part of the OIS, an advisory board, consisting of global network security managers, will be appointed. Members will serve one-year terms and work with the OIS to validate processes that the group develops. The board will be named in early 2003 as well.

The presence of Microsoft may raise eyebrows among the developer community, given its reputation for releasing software later found to have security holes.

Just this morning the company said a FrontPage extention tool known as a SmartHTML interpreter has a flaw that could leave it vulnerable to denial-of-service attack or run the code of their choice their servers.

"Every piece of non-trivial software has some flaw," said Scott Blake, a spokesman for the group. "Nobody is without blame, and there are quite a few other (software firms) involved. We are all trying to work together."

Blake added that the relationship between security consultantcies and vendors has also improved recently.

John Pescatore, vice president for Internet security at IT research firm Gartner, supported the initiative.

"It's increasingly critical - to our critical infrastructure as well as to individual computer users - that security vulnerabilities be avoided when developing software, but where they occur they need to be found and eliminated as effectively as possible," Pescatore said. "Industry-consensus processes are a needed step toward making this happen."

Submit a Comment

Loading Comments...