You cant say I didnt warn you, software vendors. Time and again, I—and many other columnists and security pundits—have pointed out that if you didnt get your act together when it came to securing your product and writing quality code, your customers would eventually hold you accountable.
Well, guess what: That time has come, and the customers holding you accountable are the CEOs of some of the biggest companies in the world. Recently, Business Roundtable, an organization composed of the CEOs of 150 companies—including Coca-Cola, Ford Motor Co. and General Electric—issued a release on cyber-security. While there arent a lot of new concepts in the Roundtables statement on cyber-security, I really like its focus. It recommends important steps, such as emphasizing market solutions as opposed to regulatory fixes and CEOs and boards of directors placing high priorities on security.
But in all these well-written and collegial statements about security and the shared responsibilities of customers and software vendors, there is a clear warning shot for software vendors.
The Business Roundtable CEOs are clearly stating that the software industry has not done enough to ensure the quality of its products and has, in fact, made the job of securing company assets harder than it should be. And they point out that the leading cause of security problems is the lack of quality assurance in software products.
Some nice quotes from the Business Roundtable policy include: "Most of the significant cyber incidents that have harmed American business and consumers over the past several years have had at their root cause defective and readily exploitable software code," and "Most software development processes used today do not incorporate effective tests, checks or safeguards to detect those software coding defects that result in product vulnerabilities."
None of this is news to anyone who even remotely follows cyber-security. But to hear these statements from some of their biggest and most powerful customers has to put a chill down the spine of many software vendors.
Even better is a statement from a press release that Business Roundtable put out in which Roundtable President John Castellani talks about urging the marketplace to improve quality and security in IT products and ensuring that the products Business Roundtable members buy meet the highest security standards.
From these statements, its clear that Business Roundtable members are talking about using their IT budget clout to ensure improvements happen and that they will reward with business those who show they care about security.
Typically, when statements like these are released by security or consumer watchdog groups, the IT industry basically ignores them. But vendor groups are so terrified by what Business Roundtable is saying that they immediately released statements emphasizing all the money theyve spent and initiatives theyve started to improve cyber-security.
If I were in the software industry, I dont think Id be painting these efforts as a positive. Most of the high-profile programs to improve software security have been in place for a few years now—years in which security problems have grown exponentially. It would be charitable to say these programs have failed miserably.
And despite their protests, it looks like software vendors are finally facing someone they cant put off or bully. With these customers, they wont be able to hide behind legally questionable end-user licenses that shamelessly try to indemnify them from their own failure to write secure code.
So I want to thank the members of Business Roundtable for making this statement, and I encourage them to stick to their guns. By letting software vendors know enough is enough, youll be doing a great service for all businesses, users and the Internet itself.
And to software vendors, this is your chance to make amends. Do what it takes to improve software quality and security. If you do, youll be rewarded by lucrative deals with the best possible customers. If you dont, you shouldnt be surprised when all those IT dollars stop coming your way.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.