Australian banks, telcos may come under secure software rules
Software engineering teams at Australia’s banks and telcos may be next in line – after software vendors to governments, and governments themselves – to have to meet software secure-by-design principles agreed by ‘The Quad’ nations.
The Quad – Australia, United States, Japan and India – published joint principles for secure software [pdf] after a meeting in Hiroshima over the weekend, which occurred on the sidelines of the G7 summit.
These would require, among other things, that sellers of software to government vouch for their compliance with secure software development practices, and participation in a “national vulnerability disclosure program”.
Governments would also need to take care of risks on their side, such as by implementing adequate controls and committing to expedient incident response.
Home Affairs secretary Mike Pezzullo told senate estimates yesterday that the guidelines should give software and service providers to the federal government pause to examine their practices.
“The four Quad partners in each of our jurisdictions have agreed joint principles to secure software supply throughout our supply chain,”Pezzullo said.
“If I was looking to vend to the government, I’d be reading those principles to say, ‘If the government’s not going to tolerate high-risk software in the development of code that is in services and products that I vend to government, then as a vendor I need to smarten up’.”
But Pezzullo also raised the prospect of the principles being more broadly applied outside of only software supply.
“Whether by principle or by direction, they’ll probably impose that on banks and telcos etc.,” he said.
“The signals are out there.”
The suggestion came in the context of a similar discussion, raised by Senator James Patterson, about whether growing governmen suspensions and bans on Chinese-made hardware and software could also be extended beyond government, particularly to critical infrastructure operators or those with “systems of national significance” or SoNS.