RSA 2007: Software Suppliers aim to head of threat of legislation

The software industry is trying to head off the threat of legislation that would make it liable for poor quality code.

EMC, Juniper Networks, Microsoft, SAP and Symantec have set up a forum to develop and share best practice for writing software to improve the quality of code and ultimately users' trust in IT and communications products.

Former White House security advisor Paul Kurz, who heads the SafeCode forum, said government, critical national infrastructure owners, and large enterprises wanted systems that could resists attacks. "We will work with them and academia to improve software assurance."

Asked if governments or other large users had threatened to introduce laws to make software suppliers liable for poor quality code, Kurz said, "The subject has been mentioned."

SafeCode has collected £25,000 each from its members and is looking for more backers. IBM, Oracle and Cisco were among firms looking at the proposition.

Kurz said the forum has five aims:

• To increase the understanding of the secure development methods and integrity controls used by suppliers

• Promote proven software assurance practices among suppliers and customers to foster a "more trusted ecosystem"

• Identify opportunities to leverage such practices to manage enterprise risks better

• Persuade universities to change their curriculums to "support the cybersystem"

• To research and develop software assurance initiatives and practices

Kurz said he would work with other initiatives, such as the International Standards Organisation and the ISSA to improve software quality, and invited other software houses to join. "The industry needs to stand together here. We have a programme of work that needs funding," he said.

Kurz said members would share best practices to find common ground and also understand difference in approach. The first fruits were likely to appear in 90 to 120 days.

Information Assurance (CSIA), noted that the £125,000 in sponsorship collected so far "wasn't there a year ago". The CSIA is the driving force behind the government's National Information Assurance strategy (NIAS).