IT vendors could soon face financial penalties and legal suits from buyers frustrated by the poor security of their products, according to experts headlining this week's Infosecurity conference.
Delegates attending the Infosecurity Europe show, starting tomorrow at London's Olympia, will be urged to use their collective power to force vendors to take more responsibility for product security.
"Within the next six months to a year, firms will start saying, 'We won't buy your product unless it meets security due diligence requirements,'" predicted Fred Cohen, principal analyst at research firm Burton Group, who is chairing the event.
Cohen said firms are concerned that patch management is draining their resources, and argued that vendors have a responsibility to do more to stamp out common flaws. He offered the example of a Microsoft application containing 60 million lines of code that, he argued, could be verified as being free from buffer overruns for less than 50 cents a line. "The total cost of $30m is a drop in the ocean for Microsoft," he said. "Firms will take the approach of, 'If we buy from you and the product has flaws, then we'll sue.'"
John Colley, group head of information security at the Royal Bank of Scotland, said IT buyers should pressure software vendors to accept more responsibility in contracts. "[Currently] it's a crazy situation. The standard software licence will say it's not for any specific purpose and if it doesn't work, then buyer beware," he said. "This is an untenable position." Industry pressure for security will eventually force vendors to offer better assurances, he added.
Delegates will also be told that new regulations such as the Combined Code on Corporate Governance put IT departments in a strong position to demand approval for security funding. "Now is the time for investment, there are no arguments," said Andy Mulholland, chief technology officer at IT consultancy Capgemini. "Companies are responsible for managing their data properly under various pieces of legislation."
IT vendors are already coming under pressure. Last week a US government taskforce recommended that products should be built to processes backed by international security agencies, and should undergo vulnerability analysis before launch.
Separately, the UK government is trying to gain support for its four-year-old TScheme approval process, which sets out criteria for conducting secure transactions online.
However, so far only five firms, including BT and Royal Bank of Scotland, have met the criteria. By June, the DTI is hoping to use TScheme-approved systems to communicate with firms and subcontractors in the oil and gas industry via an online portal.
