In a colorful panel discussion held at NetWorld+Interop, the IT director for Sydney tech security consultancy SecureReality said security built into software was too weak because vendors were too intent on pandering to consumers who favoured continually upgraded product features over security.
"Software quality is, I would say, not very good. That's because customers want more and more features. You compete on features. You don't compete on 'I'm secure,'" he said.
He said vendors skimped on security testing when developing new products only because that testing slowed down a product's time to market. Furthermore, he believes vendors use fear to win the confidence of, and sell products to, end users.
Clowes' comments were met with amused disapproval from security software executive Peter Sandilands. The regional manager of Check Point Software Technologies said vendors could only reasonably test software according to likely scenarios in which that software would be used.
He said if vendors were obliged to test for every possible vulnerability in every product, "no vendor would ship a single product".
"There are some assumptions that have to be made."
The panel discussion also touched on the issue of fault disclosure. Panelists agreed there was no simple formula to decide how much information customers should be given if a company learned of a network security hole, but Clowes spoke strongly in favour of a wholly open approach.
"Full disclosure is the only way it can work," he said.
Other panelists spoke against an emerging e-business trend wherein companies publish policies on their Web sites that defer all responsibility of privately submitted details back to the customer.
