Users demand vendors take responsibility for buggy software

Users faced with buggy software say they get a rough deal from vendors to the point where a tertiary institution maintains a full-time department dedicated to checking and re-testing new applications.

The University of Western Sydney standard operating environment team leader Gavin Robinson describes it as a constant struggle that involves battling vendors across the globe.

"Yes, vendors do have a single, simple solution to your problem. What we have found the hard way is that whether or not you get it depends on how tenacious, persistent and occasionally aggressive you can be," Robinson said.

The university has a dedicated department where rigorous testing is undertaken to ensure what they want in a software application is what they actually get.

Robinson said an incident - where an incompability conflict between an operating system and an application resulted in a fatal error - saw each vendor blame the other and neither take responsibility for the "stuff up".

"Vendors do not take responsibility and I think that is the key to the whole issue, they should be responsible for what they provide," he said.

When approaching vendors with specific questions, the university's IT procurement coordinator, Vicki Robinson, said she feels like a small fish in a big pond and that she is not taken seriously.

Such concerns support a warning by analyst firm Gartner last week stating that if organizations do not include security as a criterion when building or buying software system, downtime caused by security vulnerabilities will grow from 5 percent in 2004 to 15 percent in 2008.

Gartner vice president John Pescatore said end users need to pressure vendors to build more-secure software to prevent an escalation in downtime.

However, Deakin University IT director Richard Tan said Australian users have been conditioned into accepting software or systems which turn out to be not inherently secure.

"The whole issue is extremely disappointing for an end user and we are forced to rely on vendors for support and advice," he said.

Queensland University of Technology Professor Bill Caelli said the amount of pressure end users could effectively place on vendors is minimal.

"There is no point blaming a driver for not buckling up in a car if it doesn't have any seat belts; the real problem is that today, commercial operating systems and middleware are basically far less secure than mainframe systems of the early 1970s," Caelli said.

"Even IBM, in a paper released last year, said it was ridiculous to create a secure application on top of insecure operating systems and middleware."

Pressure on CIOs to minimize costs by utilizing outsourcing and offshoring, Caelli said, has pushed security to the bottom of the list as a purchasing priority.

"The answer, like anything else in life, appears to be a mixture of good legislation and enforcement coupled with market education and awareness," he added.

(With Sandra Rossi.)