RSA 2007: Software Suppliers aim to head of threat of legislation

The software industry is trying to head off the threat of legislation that would make it liable for poor quality code.

The software industry is trying to head off the threat of legislation that would make it liable for poor quality code.

EMC, Juniper Networks, Microsoft, SAP and Symantec have set up a forum to develop and share best practice for writing software to improve the quality of code and ultimately users' trust in IT and communications products.

Former White House security advisor Paul Kurz, who heads the SafeCode forum, said he had spoken to government people in the US, EU and UK. "They have welcomed the move," he said.

Asked if governments or other large users had threatened to introduce laws to make software suppliers liable for poor quality code, Kurz said, "The subject has been mentioned."

SafeCode has collected £25,000 each from its members and is looking for more backers. IBM, Oracle and Cisco were among firms looking at the proposition.

Kurz said the forum has five aims:

• To increase the understanding of the secure development methods and integrity controls used by suppliers

• Promote proven software assurance practices among suppliers and customers to foster a "more trusted ecosystem"

• Identify opportunities to leverage such practices to manage enterprise risks better

• Persuade universities to change their curriculums to "support the cybersystem"

• To research and develop software assurance initiatives and practices

Kurz said government, critical national infrastructure owners, and large enterprises wanted systems that could resists attacks. "We will work with them and academia to improve software assurance," he said.

He added he would work with other initiatives, such as the International Standards Organisation and the ISSA to improve software quality, and invited other software houses to join. "The industry needs to stand together here. We have a programme of work that needs funding," he said.

He said he expected to have a policy committee that would direct a technical committee that would thrash out the common ground. "There will also be an advisory group to maintain communications with academia, government, and critical national infrastructure owners," he said.

Kurz said members would share best practices to find common ground and also understand difference in approach. The first fruits were likely to appear in 90 to 120 days.

Read more on Business applications