Suing software vendors is no security fix

Fewer software vulnerabilities and more lawsuits won't rid us of security problems on the Internet

Many readers blasted me for last week's column that purportedly took vendors' side regarding software liability, but my critics missed two big points.

First, I'm a security guy -- I'd gladly give up faster innovation and new feature sets for improved security.

[ Also on InfoWorld: Roger A. Grimes takes a stand in "Vendors should not be liable for their security flaws." | Learn how to work smarter, not harder with InfoWorld's roundup of all the tips and trends programmers need to know in the Developers' Survival Guide. Download the PDF today! | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

But I don't want to specifically identify and codify software vulnerabilities as a reason to overturn hundreds of years of common law, where we don't hold people accountable for unintentional acts of harm. Common law already says you can hold people accountable for harm any reasonable person in their position should have known. You can already sue vendors for security vulnerabilities -- and people do. But I'm against people suing for unintentional acts because it flies in the face of our generally accepted tort laws (no, I'm not a lawyer).

Instead, I believe people should vote with their dollars and not reward vendors for poor security, intentional or not. If a vendor shows a long-term history of security weaknesses, we should let them know of our discontent by not supporting their products.

Many readers picked on my full-time employer, Microsoft, to say it should be sued to make more secure software. This is exactly my point. Microsoft is sued lots, like all big software vendors, but I'm not sure more lawsuits would improve security. What did change Microsoft and make it become a more secure coder? Dollar votes!

A decade ago, people began to more often buy or recommend non-Microsoft products. Bill Gates got that message and started the company down a new path known as Security Development Lifecycle (SDL). Microsoft went from being one of the vendors with the most security vulnerabilities to one with the least, compared to its major competitors. Lawyers and litigation didn't move Microsoft; paying customers did.

An even bigger reason for my recalcitrance in increasing lawsuits against vendors is that software will never be perfect, and even if it were, it would not significantly diminish hacking. The No. 1 cause of infection are Trojan horse programs picked up by users visiting a trusted website. These users didn't have unpatched software, though that's the second most common cause for exploits. A roving worm or virus didn't infect them in an undetectable manner. No, the user intentionally ran something they shouldn't, no doubt ignoring the two to six security warning prompts that pop up when downloading and running an unknown file. They infected themselves.

1 2 Page 1
Cybersecurity market research: Top 15 statistics for 2017