The software industry is trying to head off the threat
of legislation that would make it liable for poor quality
code.
EMC,
Juniper Networks,
Microsoft, SAP and Symantec have set up a forum to develop and
share best practice for writing software to improve the quality of
code and ultimately users' trust in IT and communications
products.
Former White House security advisor Paul Kurz, who heads the
SafeCode forum, said he had spoken to government people in the US,
EU and UK. "They have welcomed the move," he said.
Asked if governments or other large users had threatened to
introduce laws to make software suppliers liable for poor quality
code, Kurz said, "The subject has been mentioned."
SafeCode has collected £25,000 each from its members and is
looking for more backers.
IBM, Oracle and Cisco were among firms looking at the
proposition.
Kurz said the forum has five aims:
• To increase the understanding of the secure development
methods and integrity controls used by suppliers
• Promote proven software assurance practices among suppliers
and customers to foster a "more trusted ecosystem"
• Identify opportunities to leverage such practices to manage
enterprise risks better
• Persuade universities to change their curriculums to "support
the cybersystem"
• To research and develop software assurance initiatives and
practices
Kurz said government, critical national infrastructure owners,
and large enterprises wanted systems that could resists attacks.
"We will work with them and academia to improve software
assurance," he said.
He added he would work with other initiatives, such as the
International Standards Organisation and the
ISSA to improve software
quality, and invited other software houses to join. "The industry
needs to stand together here. We have a programme of work that
needs funding," he said.
He said he expected to have a policy committee that would direct
a technical committee that would thrash out the common ground.
"There will also be an advisory group to maintain communications
with academia, government, and critical national infrastructure
owners," he said.
Kurz said members would share best practices to find common
ground and also understand difference in approach. The first fruits
were likely to appear in 90 to 120 days.