When software fails 'lock up the vendor'

The federal government has been called upon to lift current IT standards by penalising software vendors for selling insecure products which contribute to cyber attacks.

"The government could publish a blacklist and if security holes are sustained over a long period, the executives selling that product can be gaoled," Professor William Caelli, Queensland University of Technology's head of the data communications school, said.

He said industry must be forced by law to comply with security standards because it won't do anything voluntarily that involves extra cost.

He said he believes there isn't a single vendor complying with current security standards developed by the US government and known as the Common Criteria.

The criteria document is published in Australia on the Defence Signals Directorate's Web site (www.dsd.gov.au/in-fosec/commoncriteria).Australia is a signatory to the international Common Criteria standard, which evaluates systems by providing ratings.

Referrring to standards codeveloped by government to regulate the motor vehicle industry, he said: "In the IT industry, they're selling cars without brakes and then blaming the driver. I don't know why the IT industry thinks it's different to any other. In the pharmaceutical industry you can't just go out and create a new drug."

"It is the government's responsibility to enforce standards as it has with every other industry; vendors just can't keep on blaming the driver." Caelli has just returned from the Global InfoSec Summit in Washington where there was plenty of discussion about global cyber laws but not everyone blamed hackers, the obvious bad guys.

Delegates called for industry groups to put pressure on vendors to ensure software is examined.

Citigroup chief information security officer Steve Katz said the Banking Industry Technology Secretariat (BITS) has taken up the challenge by establishing a security laboratory.

The laboratory tests the security features of banking applications and Katz said if a product doesn't pass "you are going to have a problem getting in the door of a financial institution".

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CitigroupQueensland University of TechnologyQueensland University of Technology

Show Comments