Demand secure code
Retail and financial services companies get the benefit of a third-party audit of software vendor's code. IT executives in other industries should call for the same protection.
This week, the PCI Security Standards Council announced the availability of its new Payment Application Data Security Standard (PA-DSS). PA-DSS provides a set of best practices to software vendors for developing secure payment applications that don't store sensitive or private data such as personal identification numbers, and ensure that these applications support standard Payment Card Industry Data Security Standard (PCI DSS) requirements. Once a certification process is established, retailers will be able to purchase applications with a PA-DSS "good housekeeping" seal of approval.
Hmm, what a good idea. Retail companies get the benefit of a third-party audit of their software vendor's code and get to make their selections based on whether a vendor meets the PA-DSS standard. It's great for the retail and financial services industries mandated by PCI, but what about the rest of us poor schmoes? Shouldn't we get the same kind of protection?
Well, maybe we should but it ain't gonna happen anytime soon. My suggestion to CIOs in other industries is caveat emptor. IT executives shouldn't buy any software from any vendor without some type of review of the company's software development process, security testing, and emergency response procedures. What's more, purchasing agreements should hold software vendors' feet to the fire to address security process gaps, fix vulnerabilities within a reasonable time frame, and respond to emergency situations with an appropriate level of urgency. No commitment, no purchase.
Software vendors have always focused their attention on functionality, eschewing security in many cases. For the PCI Security Standards Council, this lack of secure development oversight led to regulations in the form of the PA-DSS. Yes, companies like EMC, Microsoft, and Oracle have embraced secure software development methodologies but we are still buying a lot of vulnerable code from a plethora of vendors.
Since the rest of us don't have the PCI Security Standards Council to protect us, I strongly suggest more vigilant purchasing policies. Most vendors won't improve software security until they realize that this omission will go straight to the top and bottom line.
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.