The Case for Regulating Quality within Computer Security Applications
Computer security applications (CSAs) are essential for ensuring information security across insecure mediums such as the Internet, however despite the reliance placed upon them empirical evidence and case studies indicate that they suffer similar quality concerns to the broader software industry. This paper identifies two key reasons for this. The first is that private law and compensation are unable in their current form to raise quality within CSAs. The second is that the public good characteristics of CSAs, and the negative network externalities that defective CSAs exhibit, are addressable through regulation only. There are two types of defect, those that are known to the CSA vendor and those that are not. This paper therefore proposes a two stage-approach towards addressing these. The first stage is to raise the benchmark of CSA quality by mandating the use of standardised software engineering methodologies through use of the European standardisation framework. Thereby ensuring that CSAs are released to the market without known defects. The second stage is to mandate the disclosure of exploitable defects identified post software release by leveraging the proposed European Network and Information Security Directive.