For many years, software has evaded the kind of certification that other engineered systems must routinely meet. If the term software engineering is ever to be anything more than a joke, the whole industry must step up to the plate and do what's needed.

One of the jobs I've done in the recent past is software safety analysis for critical systems, something analogous to UL (Underwriter's Labs). There are several companies in the U.S. and E.U. which do this kind of work; it's time to require major critical software to meet safety and security requirement certification.

Exposure to liability implies that insurance must be available if the industry is to survive; the insurance must be conditional upon successfully passing software safety and security analysis in order for the insurers to limit their risks. The businesses and individual consumers win both ways: they obtain better software, and the right to compensation for damages. They get neither benefit now.

Surely there's room in all those Microsoft billions for a cert of IIS, Exchange, and XP? The cost of certification is clearly a business expense which can be handled as any other business expense. Open source efforts will need an umbrella nonprofit organization to raise money to fund the certifications; but many open source efforts already have such organizations in place. Shareware could even reserve its certified versions for those who actually pay for the software, providing an incentive for users to actually do so, while the not-paid-for-beta version would continue without liability coverage.

The time has come to raise software development into a true engineering discipline. This will never happen until the industry is willing to be responsible for its creations...


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/47/9267#9267