US telecoms giant Sprint is developing a policy that would require
all software vendors to provide it with the results of independent
security tests before it will consider purchases.
Sprint chief security officer Robert Fox told the Infosecurity
Conference & Exhibition in New York: "We're working on a new
policy for software vendors that will say, 'Before you deliver your
software to Sprint, you need to run certain tests and tell us the
results'."
Other industries, particularly banking, have long required software
vendors to meet a set of common security criteria for equipment
configuration and sometimes operating system configuration.
However, this is the first time that a major telecommunications
company is requiring such testing for all software purchases.
If the Sprint policy gets established across the sector, it would
put "telecommunications ahead of the curve in adopting a very good
practice," said Gartner analyst John Pescatore.
"If enterprises are willing to buy flimsy software, vendors will
sell them the flimsiest software. If companies vote with their
pocketbooks for more secure software, vendors follow."
Despite the Sprint initiative. Fox said he would prefer to see
government take a lead in demanding better software security.
"I don't think the private sector knows how to [talk tough to the
software industry] yet," he told delegates to the show. Most
companies make requests to vendors for improved security on an
individual basis, he said. As a result, the private sector is not
speaking with one voice.
The US government is making tentative moves to drive up standards.
From 1 July, all software companies wanting to sell to the US
Department of Defense will have to have their products' security
claims validated by a third party.