Last week, Salted Hash reader and IT security consultant Raj Goel suggested there should be a "lemon law" for insecure tech products.
His comments, sent my way in a LinkedIn message:
Is it just me or did the guys who compromised every security org on the planet (RSA, every AV and DLP vendor, Adobe, Java) just pulled a magic trick and passed the blame onto nameless hacktivists? Long before I fear the hacktivists and cyber-criminals, I DREAD Adobe, Java and the 100% failure rate that is the anti-malware industry. What do you think it's going to take to get a LEMON LAW for software passed?
I'm starting to see some reader response to this, but no one seems to like Goel's idea. What follows are some of the comments I've received. Keep the discussion going!
Donald Schleede --
I completely disagree with this concept. In a perfect world, this would make sense. For example, It is my job across the company to fight for security features and functions within our products, and to protect our customers from these sort of issues.
As much as I would love to have all of my ideas implemented in every product, the reality is that there is a cost to every security function that gets implemented. We need to balance that cost with the ability to sell the product. The security cost is a direct cost included in the product and will increase the customers purchase price, and unfortunately the revenue return from a security function in a product is MUCH harder to define. Security features are like insurance, it only is good IF something happens.
The way I have been able to get security functions included, is to market those as an advantage over our competitors. It is my hope that the true end user, who is the ultimate decision maker, decides to purchase our product for slightly more cost BECAUSE it is more secure over our competition.
I would say this is true for Adobe's products as well. If you think Adobe does a bad job in security for their very complex software, exercise your right as a consumer and don't buy from them. Throwing government regulations into the mix will only increase costs across the board.
I would say as an alternative, is that we should have some industry standards that could be possibly adopted at the federal level, that would help guide, and maybe help evaluate levels of security. This could be similar to the Energy Star rating System. Maybe a Software Security Start Rating system? This would help the industry and the consumer to bring visibility to the issue, and help drive the industry to a better place without legislation.
While implementing some form of lemon law on software vendors (especially security vendors!) would be ideal, I fear the software license agreements we tacitly or specifically agree to when we install the products would, at least in the minds of the vendor' legal teams, protect them from such a concept. At the very least, the legal system would be tied up for years if past experience with software companies has any bearing. If you think the patent wars are annoying, just wait until lawyers get a hold of software lemon laws.
I sometimes think that Congress (who, after all, are mostly lawyers these days) pass certain laws so that their compatriots outside of government can reap the benefits of fees earned for fighting laws Congress passes and presidents sign.
Rob Babb --
Do it quick, Do it cheap, Do it Right. Pick 2. Security falls in the "Right" category.
The world market says we need security tools immediately!
The world market also says we're not going to pay exorbitant fees for something that we can't see an ROI for!
So, you get it cheap. You get it in a timeline you want. And yes, it may have defects.
BTW, if you don't think it's cheap today... Think what it would cost if it had been done to a much higher security standard. We're talking on the budget levels of say NASA Apollo missions.