The onus lies with software suppliers

The software industry must get its act together to win the trust and confidence of users, say some of the leading business figures in the UK.

They echo Computing's Trust campaign, which last year warned that quick-fix patches and inconsistent standards could damage the IT recovery.

Stephen Timms, ecommerce Minister told Computing that continued shoddiness in the software sector is a serious concern when budgets are so tightly stretched.

'IT systems and the software packages that run on them touch every aspect of society,' he said.

'An important shift is taking place in the way information and communication technologies are being used. It is vital today that security is planned in from the first steps in system design, and not left until the end of a project. This is key to building trust in information technologies.'

Blue-chip user group, the Corporate IT Forum (Tif) has become increasingly frustrated by the software industry's inability to deliver reliable products and says the patience of some of its members with shoddy computer code has finally run out.

'Because IT as an industry has been around for over 50 years there is increasing irritation with the cowboy outfit behaviour of many companies,' said Tif chairman Jonathan Mitchell, who is CIO and director of business process at Rolls Royce.

'Over the course of the year that irritation is increasing fast because the approach of a lot of the companies buying IT equipment is very different from that of computer software vendors.

'In avionics and pharmaceuticals for example, you are quite simply not allowed to sell products that don't work.'

Some estimates of the cost of crashes for Windows operating systems now run at nearly £1.1bn a year worldwide.

US estimates suggest the average company spends between £62,000 and £620,000 a year on computer downtime.

Mitchell says the practice of releasing unfinished code and testing it on business and the consumer is now unsustainable.

Mitchell's message is echoed by John Clarke, Tesco Group chief technology officer.

'We are seeing product being released that is not reliable from companies right across the spectrum. At a time when we are trying to build systems we want to keep for a number of years at a time when we feel the business seems to have gone backwards.

'Suddenly there seems to be a lot fragility in the systems,' he said.

Antony Harris, IT director at high street retailer GAME says deploying new systems is becoming an increasingly risky business.

'Unfortunately there is no way of knowing when you buy something if it has flaws or not,' he told Computing.

'If you're implementing a complex system you can't then turn round and say you're not going to use it. Investment in implementations is so large that you generally have to accept it. If you bought a car like this that you would go mad.'

Beatrice Rogers, ebusiness programme manager at supplier trade body Intellect thinks part of the problem lies with a lack of testing.

'TEST is bit of a four letter word in the software industry,' she told Computing. It's like corporate governance of accounting practices - it takes a big disaster like Enron for people to take notice and make changes.'

Jeremy Rudge, head of ecommerce, Royal Bank of Scotland's Trust Assured scheme is also concerned about lack of testing.

'The return on investment that software delivers is absolutely crucial to today's business,' Rudge said. 'There are plenty of examples of IT spend not providing the originally predicted ROI.'

The deployment of patches to fix software holes and vulnerabilities is becoming an increasing problem for IT departments.

Figures provided to Computing by security vendor Symantec show that 2,524 vulnerabilities were identified last year, an 81.5 per cent increase on last year.

'How many on these two-and-a-half-thousand warnings do we need to worry about?', Dave Berwick, IT manager of Mitsubishi Motors, UK said.

'We have to look at each one and take a balanced risk. The likelihood of that particular vulnerability affecting our systems is low, medium, or high, and we have to start allocating people to that, and that's a resource drain.'

The world's biggest software company Microsoft says it is aware of business demands and and has been making big improvements as part of its Trustworthy Computing efforts (Computing, 27 February).

'There are several demands customers are currently making and certainly the first is quality software code,' Stuart Okin, chief security officer, Microsoft UK said.

'Even when we've improved the quality of code there's always going to be changes that need to be made. The challenge then becomes to establish a way of automatically issuing patches, which we're doing at the moment with XP.'

The Facts

• The average hourly impact of computer downtime to the US energy industry is $2.8m (£1.8m), $2m (£1.3m) to the telecommunications market and $1.6m (£1m) to the manufacturing sector, according to US web hosting and development company Creative Data

• In 2002 2,524 software vulnerabilities were identified at a rate of almost seven a day, according to Symantec

• Figures from consultant KPMG estimate the average cost of a security breach in the UK is $108,000 (£68,500)

• A survey of 100 UK IT directors by ICM Research for TruSecure, found that 45 per cent of respondents cited patch management as too costly or poor value

• Around 80 per cent of companies that have adopted supply chain technologies have failed to achieve a return on their investment, according to a survey by Capital Consulting and Management

Additional reporting by Peter Warren