IT vendors must be held responsible for security flaws, say experts

European Commission says that technology vendors should do more to secure their products

The European Commission has criticised technology vendors who neglect the security of their products and services in the race to be first to market.

Speaking at the annual Information Security Solutions Europe (ISSE) event in Rome last week, the Commissioner for Information Society and Media, Viviane Reding, said that vendors who “cut corners on security, betting that those vulnerabilities can be fixed later” are creating a situation that is dangerous and costly for firms.

Security expert and founder of Counterpane Internet Security, Bruce Schneier, said in his keynote that vendors should be held legally liable for flaws in their products that can result in enterprise customers suffering financial loss, bad publicity and non-compliance with regulations.

However, he acknowledged that this would end up costing businesses more money in the long term, and could mean longer development times, “but at least security improves while we are waiting”, he added.

“If you don’t [enforce vendor liability] the problem will never be fixed, but if you do the technologies will come out of the woodwork to fix the problem because there will be money to be made from it,” Schneier argued.

In a panel debate at the event, Andy Ozment of Cambridge University argued that because open-source products are less susceptible to the commercial pressures of quick release cycles than proprietary products, they are likely to be more secure. But Ronny Bjones of Microsoft argued that technology alone could not account for all the security problems encountered by firms.

“A lot of security events are due to bad configuration of systems, so we need to reach out to [the customers] to help them set up their systems [correctly],” he added.