With reports swirling that Apple has hired security author David Rice as director of global security, the ideas Rice has put forth in the past to help improve software quality have moved back into public debate.
Rice's book, "Geekonomics," attempts to tackle the nebulous and contentious topic of software quality and the cost insecure code levies on us all. In his career, Rice has also works as a global network vulnerability analyst for the NSA as well as a cryptologic officer in the United States Navy.
In this recent OWASP (Open Web Application Security Project) talk, Rice likens the battle for the hearts and minds of the public to demand secure code to that of the battle against pollution as a side-effect of industrialization. Once upon a time, pollution was accepted as a given as part of an industrialized society. Eventually, some started to demand pollution be brought under control, and eventually forward-thinking companies saw being environmentally friendly as smart business.
Rice hopes to see the same evolution in thought when it comes to software security: that eventually, software vendors would recognize that developing secure, sustainable software is smart business. However, Rice acknowledges, that's not likely until the marketplace has better information about the quality of the software it consumes. That is: consumers (whether they be individuals or businesses) need to be able to evaluate the inherent security of an application.
For instance, the notion of some type of 5-Star Safety Rating for software could help software buyers understand the security of an application through some type of third-party evaluation and testing. "The idea is to give consumers the information they need to make better decisions. This would improve the efficiency of the market for software," says Josh Corman, research director at the 451 Group's enterprise security practice. "People today, generally, have no idea how to judge the quality of software as it relates to security. Such information would provide the clarity a market needs to function," he says.
Another idea Rice has floated include the notion of a Pigovian tax designed to correct the current "broken" market outcome in the software industry. That's to say, end users pay the price for shoddy software through attacks, bolted-on security solutions, and the never-ending patching process. If security related vulnerabilities were somehow taxed, the cost burden would be shifted more from the consumer of software to the software manufacturer. That's the idea, however many industry experts don't think it would work.
"It's a horrible idea," says John Pescatore, analyst at the research firm Gartner. "It's as silly as the senator who proposed, making buffer overflows illegal years ago," he says. "Basically, market forces are already at work. Look at the market share of IIS and Internet Explorer today compared to years ago. Every company has the ability to choose a software provider and to highly weight lack of vulnerabilities or patch histories or whatever," Pescatore says.
Others argue that there is no correlation between the sheer number of software vulnerabilities and attacks. "There is a presumption there that you can have perfect software, to the extent that you can't have that, we are giving them an incentive to produce better software, but there is no good science around the nature of vulnerabilities," says Pete Lindstrom, research director at Spire Security. "For example, is there a relationship between known attacks and the number of vulnerabilities in software? I don't know that to be true," he says.
Another idea mentioned in Rice's book is the notion of liability and tort reform to make it easier to sue software makers for the damages created by faulty software. The idea, again, is to shift the costs of damages caused by shoddy software to the manufacturer.
Many argue, however, that the cost of software would rise for all consumers and that both a software security bug tax and making it easier to sue software makers for faulty software would benefit larger manufacturers who could afford to pay the taxes and lawsuits, while potentially burying open source and small independent software vendors who lack deep pockets.
Pescatore shares yet another idea: software recalls. "The best economic pressure would be move to what we see in the consumer product world -- recalls. Basically, the manufacturers have to bear a large portion of the cost of fixing problems with the products, if the faults are dangerous enough. However, the software-licensing model has long fought off this kind of liability -- but I think that is the most likely path to any change. You can already see how the FTC, without any new regulations, has been able to do this on privacy violations -- not a big leap from there," he says.
The subject of software liability and any potential bug tax brings heated debate. But it's a debate not likely to go away soon. "To date no one has been held accountable for a software flaw, no matter the cost it created," says Corman. "That has to change. We have to improve the economic equation," he argues. "And it is better to start sloppy and then refine it over time. We need to explore the potential impact of tort reform, as well as taxes and other penalties," he says.
George V. Hulme writes about security, technology, and business from his home in Minneapolis, Minnesota. You can also find him on Twitter as @georgevhulme.