Suing software vendors is no security fix

Many readers blasted me for last week’s column that purportedly took vendors’ side regarding software liability, but my critics missed two big points.

First, I’m a security guy — I’d gladly give up faster innovation and new feature sets for improved security.

[ Also on InfoWorld: Roger A. Grimes takes a stand in “Vendors should not be liable for their security flaws.” | Learn how to work smarter, not harder with InfoWorld’s roundup of all the tips and trends programmers need to know in the Developers’ Survival Guide. Download the PDF today! | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

But I don’t want to specifically identify and codify software vulnerabilities as a reason to overturn hundreds of years of common law, where we don’t hold people accountable for unintentional acts of harm. Common law already says you can hold people accountable for harm any reasonable person in their position should have known. You can already sue vendors for security vulnerabilities — and people do. But I’m against people suing for unintentional acts because it flies in the face of our generally accepted tort laws (no, I’m not a lawyer).

Instead, I believe people should vote with their dollars and not reward vendors for poor security, intentional or not. If a vendor shows a long-term history of security weaknesses, we should let them know of our discontent by not supporting their products.

Many readers picked on my full-time employer, Microsoft, to say it should be sued to make more secure software. This is exactly my point. Microsoft is sued lots, like all big software vendors, but I’m not sure more lawsuits would improve security. What did change Microsoft and make it become a more secure coder? Dollar votes!

A decade ago, people began to more often buy or recommend non-Microsoft products. Bill Gates got that message and started the company down a new path known as Security Development Lifecycle (SDL). Microsoft went from being one of the vendors with the most security vulnerabilities to one with the least, compared to its major competitors. Lawyers and litigation didn’t move Microsoft; paying customers did.

An even bigger reason for my recalcitrance in increasing lawsuits against vendors is that software will never be perfect, and even if it were, it would not significantly diminish hacking. The No. 1 cause of infection are Trojan horse programs picked up by users visiting a trusted website. These users didn’t have unpatched software, though that’s the second most common cause for exploits. A roving worm or virus didn’t infect them in an undetectable manner. No, the user intentionally ran something they shouldn’t, no doubt ignoring the two to six security warning prompts that pop up when downloading and running an unknown file. They infected themselves.

I certainly don’t blame the average user — they aren’t computer security experts. They’re doing what they are told by their computer. But fewer software vulnerabilities aren’t going to solve our problems. The only way to significantly diminish malicious hacking is to fix the underlying problems, and that means significantly changing the way the Internet works. We need default, pervasive authentication, centralized security services, and the ability to communicate trust and assurance in every Internet packet.

It’s not as hard as it sounds. It can be done. We don’t even have to invent any new security protocols. Everything we need already exists. We need only agree to do it, put some values in a few tables, and implement.

I say this at least a half-dozen times a year, and I’ve been at it for more than half a decade. My first column on how to fix the Internet was published in January 2008, followed by my whitepaper on the subject in May of the same year; the most current update was posted just last month. I’ve also written regularly on the subject; check out my earlier posts “This Internet fix is no pipe dream” and “Fixing the Internet would be easy — if we tried” for proof.

I can’t get worked up about increasing software vendor liability, next-generation firewalls, or any endpoint security defense — because they will not work.

I get tired of wasting cycles on debating ineffective solutions. I want to knock down the false defenses, if possible, so that we can start concentrating on the defenses that will work. Suing (or even yelling at) software vendors isn’t the answer.

This story, “Suing software vendors is no security fix,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.