Telco demands independent security tests for software

US telecoms giant Sprint is developing a policy that would require all software vendors to provide it with the results of...

US telecoms giant Sprint is developing a policy that would require all software vendors to provide it with the results of independent security tests before it will consider purchases.

Sprint chief security officer Robert Fox told the Infosecurity Conference & Exhibition in New York: "We're working on a new policy for software vendors that will say, 'Before you deliver your software to Sprint, you need to run certain tests and tell us the results'."

Other industries, particularly banking, have long required software vendors to meet a set of common security criteria for equipment configuration and sometimes operating system configuration.

However, this is the first time that a major telecommunications company is requiring such testing for all software purchases.

If the Sprint policy gets established across the sector, it would put "telecommunications ahead of the curve in adopting a very good practice," said Gartner analyst John Pescatore.

"If enterprises are willing to buy flimsy software, vendors will sell them the flimsiest software. If companies vote with their pocketbooks for more secure software, vendors follow."

Despite the Sprint initiative. Fox said he would prefer to see government take a lead in demanding better software security.

"I don't think the private sector knows how to [talk tough to the software industry] yet," he told delegates to the show. Most companies make requests to vendors for improved security on an individual basis, he said. As a result, the private sector is not speaking with one voice.

The US government is making tentative moves to drive up standards. From 1 July, all software companies wanting to sell to the US Department of Defense will have to have their products' security claims validated by a third party.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.