Now that compliance with the Sarbanes-Oxley Act is a fact of life for large companies, maybe its time to shine the light of regulation on new fields—maybe its time to federally regulate software vendors.
SarbOx is intended, in part, to protect the publics financial investments. But what about the investments that companies make in the software used to run their businesses, which, in turn, serve the public? How do you know if your software vendor is adhering to development practices that protect your organizations financial investments and business goals? How many failures have resulted from software vendors overlooking critical security or other issues in a rush to bring another product to market? Perhaps more than anyone will admit.
In a competitive marketplace, software quality determines a vendors survival. But in software markets dominated by a monopoly, perhaps regulation is needed. Even in markets with competition, the nature of software deployment precludes a rapid switch from one vendors products to anothers.
Federal control shouldnt be advocated lightly, but federal regulation of the automotive industry, for example, has led to safer vehicles with fewer dangerous emissions. Plenty of other industries, including pharmaceuticals, food and manufacturing, are regulated in the public interest. The benefits are obvious.
Software regulatory compliance could obligate vendors to do a better job of testing and identifying weaknesses before releasing products. In security, vendors would have to meet minimum standards—perhaps similar to those required by government contracts. Compliance levels could be graded according to the software layers, including operating systems, middleware, databases and applications. The strictest security compliance would be required at the lowest level, the operating system.
Other regulations might require disclosure of the number and severity of software failures. Some vendors already do a good job disclosing this information, but others dont, which means many software buyers have to scour the Internet for reports on problems similar to their own. In some cases, a vendor wont admit to a problem until there is so much evidence that it cant be hidden anymore. Worse is the failure of vendors to provide a timely fix unless they deem it worthwhile.
Regulation could dictate the minimum time a vendor has to provide a satisfactory update to a known problem. Additional guidelines might cover issues such as the number of years required to support a software release, forward software compatibility and adherence to quality development practices.
The financial investment in software is staggering. While federal regulation is not a panacea, the current methods of policing and protecting our investments have failed both business and the public. Unless we act, the damage we suffer will worsen.
Paul C. Tinnirello is a CIO in the financial publishing industry. Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to firstname.lastname@example.org.