Sunday, May 10, 2009

EU requiring guarantee of software security?

In one word - wow. Looks like software companies might be held liable for the security of their software if the EU gets its way. According to the article:

"Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.

Commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software. The suggested change in the law is part of an EU action agenda put forward by the commissioners after identifying gaps in EU consumer protection rules."

I like this, since BitArmor itself has announced a No-Breach Guarantee. It is a good idea to make sure software vendors have a bigger stake in making their software more secure.

However, I am not sure I like the stick approach. There could be multiple ramifications to this. Will all software have the capability to do this and be secure? Will vendors become more risk-averse and thus not innovate? How will the varying nature of environments that software works in enable such a law to be enforced?

I think it might be better to provide incentives for better security, i.e. ensure that government contracts have a preference for software with such guarantees - rather than a blanket law that forces it.