Software-Sicherheit
The Big Fix
A contract GE signed with software vendor General Magic Inc. earlierthis year has security officers and experts giddy and encouraged byits language. In essence it holdsGeneral Magic fully accountable for security flaws and dictates thatthe vendor pay for fixing the flaws.
General Magic officials say they weren't surprised by the language inthe contract, but many experts say the company has to be prettyconfident in its products to sign off. The effect of the contract,though, is to improve software in general. The vendor must make secureapplications - or fix them so they're secure - to conform to itscontract with a customer, but that makes the software better foreveryone.
Clout is not limited to the Fortune 500. Sure, it's easy for GE towrite such a contract, given that GE is part of the Fortune 2. Andthere's nothing wrong with CSOs benefiting from GE's clout - thecorporate equivalent of drafting in auto racing.
But there are other ways to force the issue with vendors for CSOs atcompanies smaller than GE (which is everyone but Wal-Mart). One canjoin the Sustainable Computing Consortium at Carnegie MellonUniversity, and the Internet Security Alliance, formed under theElectronic Industry Alliance. The interest groups help companies ofall sizes band together on standardizing contract language and bestpractices for software development.
Some are taking satisfaction in a good old-fashioned boycott, even ifthey are so small as to escape the vendor's notice. Newnham College atthe University of Cambridge in England, with 700 users, recentlybanned MicrosoftMicrosoft's Outlook from use on campus because of the virusproblem. Alles zu Microsoft auf CIO.de