• United States



Is it time for a ‘lemon law’ for insecure technology?

Oct 11, 20122 mins
Application SecurityNetwork Security

A reader makes an interesting suggestion about how to handle the software and hardware responsible for many of our security problems.

A reader, IT and security consultant Raj Goel, sent an interesting response to a post I wrote yesterday about vendors overplaying the hacktivist threat. He suggested faulty software and hardware are bigger threats than outside hacking groups will ever be, and that it’s time for a “lemon law” for this particular scourge.

His comments, sent my way in a LinkedIn message:

Is it just me or did the guys who compromised every security org on the planet (RSA, every AV and DLP vendor, Adobe, Java) just pulled a magic trick and passed the blame onto nameless hacktivists? Long before I fear the hacktivists and cyber-criminals, I DREAD Adobe, Java and the 100% failure rate that is the anti-malware industry. What do you think it’s going to take to get a LEMON LAW for software passed?

I found that interesting, and told him so. He then added:

I’ve been advocating for that since 2001. Why is that when Toyota has a minor brake problem, they have to spend $2B to fix the problem, whereas, when flaws in Flash infect millions of PCs, Adobe is left off the hook? If food or drugs had a 30% failure rate, would we buy them? Would the FDA allow them to be sold? Nope, they wouldn’t. And yet, what’s the success rate for the BEST AV software? 71%.

I have no big points to add to the mix, other than that I agree there needs to be a bigger stick over the vendors’ heads. Not that I think it’s that simple. I also think that despite all the glitches we see daily, some of the big tech vendors — Microsoft, Oracle and even Adobe — have been working hard to improve the security of their products.

So tell me, readers? Is it time for a tech lemon law? Or is it an idea both oversimplified and unrealistic?