Task Force: Patches Must be Small, Easy to Install

A high-powered cybersecurity task force says software vendors must adopt patch management principles to ensure security patches are well-tested, small, localized, reversible and easy to install.

The National Cyber Security Partnership (NCSP), a public-private task force that includes participation from the Business Software Alliance (BSA), issued its recommendations in a 123-page report (PDF file) aimed at improving security across the software development lifecycle.

The NCSP made four key recommendations in its report, calling for an improvement in the education of software developers, the development of best practices to make sure security is at the core of the software design process, the adoption of guiding principles for patch management and the creation of an "incentives framework" for policymakers and developers.

The task force, which is co-chaired by Microsoft chief security strategist Scott Charney, proposed the creation of a new initiative to put security at the heart of software development programs at the university level. It also called for a Software Security Certification Accreditation Program.

"Security is a serious problem and, if present trends continue, could be much worse in the future. No simple silver bullets will solve the software security problem," the group said. "As a long-term multifaceted problem, it requires multiple solutions and the application of resources throughout the lifecycle."

The report recommends that four sub-groups be created to focus on tightening Internet security in the face of a barrage of overt attacks by malicious hackers targeting software flaws. Initially, the group's Education sub-group insisted that security should be a key subject area in software development programs in schools.

In the long term, the NCSP's "Patching" sub-group defined steps to help make that the patching process simple, easy, and reliable. The group called for the adoption of a "top-ten" list of best practices to ensure vulnerability patches are properly tested and simple to install.

"Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods," the group said.The task force calls for smaller, simplified patches comes on the heels on a concession from Microsoft that narrowband customers were having problems downloading and installing critical software fixes.

Earlier this year, Microsoft security program manager Christopher Budd told internetnews.com a removal tool for the destructive Blaster worm has to be stripped down to keep the file size small to reach dial-up users.

He said the file size and complicated nature of security patches are a "definite hurdle" the company faced in its attempts coax users with a dial-up Internet connection to wait through the download and then install the software fix.

"It is an intractable engineering problem. The smaller the patch, the less of a hurdle it will be to reach narrowband customers. That's the most effective thing we can focus on. I think we can reduce patch sizes and get it to an acceptable level but, it will always be a problem because of the way patches are designed," Budd said.