Regulating secure software development : analysing the potential regulatory solutions for the lack of security in software

Abstract

The security of our informational infra­structure is still relatively poor. Huge investments have been made and even the regulators have taken information security seriously. Majority of current efforts both at the operational and the regulatory level, however, address only symptoms of an underlying problem: the insecurity of the software products - the salient components of most information and software systems.

Secure software development has gained momentum during the past couple of years and improvements have been made. By analysing the incentives for secure software development, it is argued in this study that without appropriate regulatory intervention the level of security will not improve to meet the needs of the network society as a whole. Beside information security in general, secure software development has to be raised as an important public policy if we wish to achieve a more secure network society and to maintain trust for information products and systems in commerce.

Efficacious regulatory measures are desperately needed to change the current practices. This study analyses two of the most attractive alternatives, software product liability and disclosure of vulnerability information, and makes suggestions for their improvement.