Secure Coding mailing list archives
Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading
From: andre at operations.net (Andre Gironda)
Date: Sat, 1 Dec 2007 21:45:32 -0700
On Nov 29, 2007 3:47 PM, Kenneth Van Wyk <ken at krvw.com> wrote:
The article quotes David Rice, who has a book out called "Geekconomics: The Real Cost of Insecure Software". In it, he tried to quantify how much insecure software costs the public and, more controversially, proposes a "vulnerability tax" on software developers. He believes such a tax would result in more secure software.
I read Geekonomics a few weeks ago, when it became available on SafariBooksOnline. I have mixed feelings about the author, the book, and the subject matter. His discussions in the book are great - especially in the first four chapters. However, I find the solutions and conclusions that he comes to in the last chapter (including all this "tax" business) to leave a lot to be desired. My primary reasons for disliking this "vulnerability tax" are that it doesn't take into account both web applications and Software-as-a-Service. Not surprisingly, the book fails to cover both of these topics. I'm not sure if David Rice does this on purpose, because he does touch on open-source software issues (dedicating an entire chapter to it, and sprinkling the topic through the book). BTW - I think David Rice brought in the idea of a "vulnerability tax" because it was the first analogy that popped into his head from the research and discussion brought about in his book. On page 157 (Chapter 4), he discusses the incentives put forward by the ISAlliance in the form of Cyber Insurance Discounts - http://www.isalliance.org/content/view/29/71/ Quote, "AIG, the world's largest provider of cyber insurance, agreed to provide premium credits of up to 15% for companies that join the ISAlliance and subscribe to these best practices. For many companies, the cash value of this discount may be worth more than the entire cost of ISAlliance membership". More details in the Market Incentives Legislative whitepaper here - http://www.isalliance.org/content/view/92/229/ In the last chapter of Geekonomics, David Rice talks to many solutions and incentives besides the "vulnerability tax", but none are quite as coherent (or controversial). I suggest reading the entire book regardless of what you think about what amounts to a very small section/topic.
IMHO, if all developers paid the tax, then I can't see it resulting in anything other than more expensive software... Perhaps I'm just missing something, though.
David Rice does propose the tax for both software vendors (not sure if this includes SaaS) and consumers, which is stated more clearly in the book. The way he proposes all this doesn't seem like a solution - as many vendors will turn this around on governments and force the consumers to, again, eat the cost of any type of effort. Does anyone expect that software vendors or open-source software makers are really going to be able to produce more secure software because of a "vulnerability tax"? Personally, I don't think this gets very close to the root-cause of software vulnerabilities. Cheers, Andre
Current thread:
- Insecure Software Costs US $180B per Year - Application and, (continued)
- Insecure Software Costs US $180B per Year - Application and robert at webappsec.org (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Andy Steingruebl (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Blue Boar (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading silky (Nov 29)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Steven M. Christey (Nov 30)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Andre Gironda (Dec 01)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading silky (Dec 02)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Pete Werner (Dec 04)
- Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading Andre Gironda (Dec 01)