Should software come with a Quality Certification?

Filed Under: SophosLabs

In a report last year the House of Lords Science and Technology Select Committee made a number of recommendations, including the suggestion that software, in particular security software should come with some sort of 'kitemark' standard certification to indicate that it meets certain quality criteria. If the application is later found to contain security holes, purchasers should be able to make some form of claim against the software supplier.

Yesterday I was speaking at the Secure London conference organised by (ISC)2 and then ran a panel session on this very topic. There was a very lively debate which I found very useful. Various attendees had horror stories of secure websites sending credit card details in plain text, passwords stored insecurely and so on.

The consensus appeared to be that software vendors should be assessed on the quality of the processes and procedures they follow and make reasonable efforts to secure their applications and if these processes have not been followed they should be liable. This raised all sorts of questions about what was 'reasonable' and who should decide (do judges have the knowledge to be able to make such judgements?).

The analogy used several times was the motor industry, significant improvements in the safety of motor vehicles have been made through both legislation and innovation and now purchase decisions are often based on the safety of a vehicle, surely the same can be applied to software, can't it?

Unfortunately we ran out of time just as we started to discuss how open source software would fit into such a scheme.

I'll leave my own thoughts on this topic to myself for the time being but I'd be interested to hear any readers thoughts. Feel free to email me your comments or suggestions on whether this is a good idea at

You might like