Tech industry launches initiative to boost software security

Tech industry launches initiative to boost software security

A major new industry initiative could ensure the quality and security of software

A major new industry initiative has been launched at this year’s RSA Conference Europe, designed to improve the quality and security of software by promoting and sharing best practices among the vendor community, and engaging with government and critical infrastructure providers.

SafeCode was announced with founding members Microsoft, EMC, Symantec, Juniper Networks and SAP. It will attempt to “raise the watermark for improving security and integrity over time”, according to executive director and former Cyber Security Industry Alliance (CSIA) head, Paul Kurtz.

The group will comprise two or three committees including one technical in nature and one which will deal with matters at a public policy level, as well as action groups to reach out to government, academia and critical infrastructure providers, to “understand what they want”, he explained.

“It’s not a standards body or a lobbying organisation [but] by promoting the individual best practices of firms we get the greatest chance to improve overall best practices,” Kurtz added. “The issue right now is how to triage the problem and find the most important things to work on together.”

Kurtz wouldn’t be drawn on whether SafeCode was in effect an attempt by the technology vendor community to pre-empt and prevent potentially heavy-handed legislation by national governments in the area of software liability.

“There’s been discussion about legislation but a lot has been done by firms about best practices and we need to be transparent about them with government and the private sector,” he explained. “Government in an UK and EU context has said such an organisation [as ours] would be welcome.”

Not everyone was convinced by the new organisation. Analyst Jon Collins argued that SafeCode needs to accrue a “critical mass” of members before it can make an impact on the software industry.

“Otherwise the hackers will start targeting those vendors who aren’t members or who have weaker processes,” he added.

Bruce Schneier, encryption expert and chief technology officer at BT Counterpane, argued that laws are still needed to enforce vendor liability in the IT industry. “There will be and has to be legislation,” he added. “It’s pure economics – we won’t get good software if the vendors aren’t [held accountable].”

Phil Dunkelberger, chief executive of encryption firm PGP Corporation, argued that there was a certain amount of fear in the software industry that potential EU legislation could have forced many software companies to pull out of investment in the region.

“The struggle the industry has is do you have the well-meaning people protecting the consumer?” he added. “The flip side is that it turns into legislation around technology and you don’t want the people who don’t do this every day making [the decisions].”

He argued that the IT security industry must also “quit making complex IT problems simple” in order to market their solutions or it will eventually be found wanting. “All these things go through an evolutionary cycle,” he added. “The real piece is that what will survive must be manageable, usable and deployable – when it becomes unusable, people turn it off.”

Lord Erroll, one of the contributors to the recent Lords report on personal internet security which called for vendor liability, explained that individuals and organisations need to be incentivised in order to carry out their security responsibilities. In this way, the Lords’ report recommended that ISPs be able to track and stop botnets without losing their ‘mere conduit’ immunity.

“The answer is not train and blame but to incentivise people that they could do something about it,” he added.

Elsewhere, Christopher Kuner, head of the international privacy and information management practice at lawyers Hunton and Williams said that holding vendors liable for security flaws in products “could be even more powerful” than breach notification laws in terms of making stakeholders take security seriously.

“Whether it’s a bank or a vendor, in the world we live in, there needs to be basic security built-in to every product,” he added. But I’m sceptical about going as far [as a law] – it would be hard to establish a standard of car for building software products.”