Could mandates on disclosing software effects benefit

[bugtraq at cgisecurity.net (bugtraq at cgisecurity.net)]

> Question is: would it make sense to lobby for disclosure requirements of all 
> writes software does, to whatever, and reasons for them, as conditions to make 
> it fit for sale? Perhaps likewise to be a (or the?) defense against claims the 
> software is doing things to others' machines without authoriation?
>
> Certainly such lists would require more of everyone installing software, at 
> least in principle (I imagine permission interpreters would alleviate most 
> work), but they would also make it possible for the first time to give trust in 
> an informed way.

People see Microsoft in the news all the time for having vulnerabilities and it isn't stopping
them from making money. Regarding websites, myspace and other large online companies have also
been bitten and aren't being negative affected.

I think creation of federal guidelines requiring security in the development cycle would be a much more
practical way to force people to implement appropriate baseline security measures. To some extent
policies such as SOX are starting this process regarding certain types of data or environments. 

In the majority of causes without the threat of preventing business, you're not going to get people to do anything 
unless they 
absolutely need to. 

Regards, 

- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
http://www.qasec.com/