Tuesday, January 25, 2011

How to Regulate Software Security

In the 1960's and early 1970's, my father worked for JC Penney's quality assurance (QA) department. In those days, JC Penney used to evaluate and test the products they sold.

After we moved from New York City out to Suffolk County, Long Island, my father decided to forgo the commute on the Long Island Rail Road and he went to work locally at Underwriters Laboratories (UL) which specializes in independent safety certification.

Growing up, I learned a lot about the importance of QA in manufacturing. After all, you can't know everything about everything, so it's nice to have a professional looking out for your safety.

The Emergence of Consumerism
As new industries emerged during the Twentieth Century, there arose a need for independent organizations to evaluate the suitability of third party products. A similar requirement now exists for the software industry where third parties need to evaluate software for security. However, these organizations cannot also sell the solution to the problems they discover.

These third parities would evaluate software in ways similar to how current private (Consumer Reports, BBB, UL, etc) and public (FDA, EPA, FAA, etc) organizations evaluate cars, planes, businesses, drugs, etc.

Regulating Innovation
But, software is too innovative to regulate.
That's what was said about the automobile industry more than 80 years ago. Today, NHTSA provides a meaningful safety rating system with 90% of cars receiving at least four out of five stars.

But, closed systems take power from the user.
This is exactly what was said to ADM Grace Hopper when she developed the first library of mainframe software routines in the early 1950s. However, over the time, more and more users are consumers, not programmers.

It's important to keep in mind that a regulated system does not have to be closed. Car owners are free to modify their cars, but very few actually do that. Nearly all consumers, these days, opt for a car and engine that's made by the same manufacture and rarely look under the hood.

With power, comes responsibility - if software engineers really wanted all the power and responsibility possible then they'd be programming in assembly language and foregoing higher level languages and operating systems.

App Store
The Apple App Stores for Mac OS X and iOS are a small step in the right direction. Over the years, we've come across software from independent developers and asked ourselves, "Do I trust this app enough to download and install it?" Having a creditable App Store is a good first step to building trust in both the product's quality and the financial transaction.

Nowadays, we don't dig too deep into safety when it comes to driving a car, flying on a plane, or driving over a bridge. The system works because we trust it.

Independent Evaluation
The next step would be independent organizations that evaluate software (including websites) for security.

Steps have already been taken to evaluate how companies store payment data, collected by websites, using the PCI Compliance standard.

An oversimplified sample of questions that could be answered in the evaluation would be:
How is my private information stored (is it encrypted)?
How does it communicate over the Internet?
What information is transferred?
Does it use third party open or closed software libraries?

For server software, metrics could be used such as determining how many transactions can be processed within a given time to size up the load it can handle. Of course, the transaction details would need to be specified so that others can reproduce them. Publishing how much load a server can handle is no different than publishing how much load a crane can hold.

The criteria for the evaluation is important, but it's up to each independent organization to develop their own standards for competitive reasons.

In the end, the evaluation would sum up the software quality using a rating system. Most people, when reviewing cars, look at the star ratings for specific vehicles that piques their interest and then they dig into the details of the review.

Simply because an application receives, for example, one star, doesn't mean that the government needs to intervene. We have plenty of "one star" software on the market, today; it's just a matter of giving consumers enough information so that they can evaluate the big picture.

No comments: