Software industry admits new security rules might be needed