Commentary: The Best Way to Make Software Secure: Liability

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/magazine/content/02_11/b3774071.htm

By Ira Sager and Jay Greene
MARCH 18, 2002 
INFORMATION TECHNOLOGY 

Microsoft Corp. is having a tough time making sure its products are
free of glitches. On Feb. 21, the software giant alerted customers
that it had released three fixes for gaping security holes in its
Internet browser and other Web software that could allow hackers to
crash Web servers or snatch files from a personal computer and send
them to an attacker's machine.

Those revelations came just three weeks after developers in
Microsoft's Windows division temporarily stopped writing software.  
Instead, the 7,000 programmers that work on the company's ubiquitous
operating system and Web-server software are spending this month
learning how to turn out bug-free programs, while combing products for
any existing flaws.

No wonder Microsoft Chairman William H. Gates III has set security as
his top priority. On Jan. 15, he sent an e-mail urging Microsoft's
50,000 employees to make their software as reliable and trustworthy as
electric, water, and telephone service. Gates knows that if he wants
customers to buy software and services via the Web--a key element of
his vision for Microsoft--he can't afford security snafus. "Our
software should be so fundamentally secure that customers never even
worry about it," Gates wrote.

Bill, you're right. But you're a little late. Microsoft and other tech
companies have neglected security issues for years. It's time
companies that sell software with yawning security flaws or fail to
secure their computer systems be held liable. Companies, or
individuals, should be able to sue to recover any damages brought on
by faulty programs or improperly installed security software.

Today, no one is held accountable for such lapses, and there's little
incentive to improve the situation. On Jan. 8, the prestigious
National Academy of Sciences, frustrated that security measures
already available aren't being used, suggested lawmakers consider
legislation that would end software companies' protection from product
liability lawsuits.

Consider the experience of CERT, the government-funded computer
security group. After trying for nine months to get computer companies
to fix a flaw that could hit a multitude of networked devices, from
printers to Web servers, CERT issued a public warning on Feb. 12 of a
security gap. Even so, a day later the majority of the 240 companies
affected had yet to contact CERT.

Much of the talk about improving computer safeguards overlooks a
fundamental problem: Poorly written software is at the root of many
security breaches. That's why the same mistakes keep cropping up. For
example, recent problems with Microsoft's new Windows XP operating
system and America Online's popular instant messaging program involved
a design flaw that has been tripping up programmers for 20 years--even
though tools are available to test for this vulnerability. "Software
companies don't spend enough time on design and testing the product
before it's made public," says Marty Linder, a security expert at
CERT.

Hence, the bug hunt at the Windows division. So far, it's unclear if
Microsoft will do the same with all its products. It's trying to
change a culture that hasn't believed the problem was faulty software.  
Instead, Microsoft employees pointed the finger at users who didn't
safeguard their systems. Microsoft notifies customers to update its
products with software patches to take care of the latest scourge. But
they left that task to users and, more often than not, it was ignored.  
"People didn't spend the two clicks to do it," says Craig J. Mundie,
Microsoft's senior vice-president. This spring, Microsoft will unveil
technology that allows Windows users to receive automatic updates each
time a bug fix is available.

To date, there has been little incentive for Microsoft and other
off-the-shelf software makers to do more. Why? Because they have
insulated themselves by disclaiming all product liability. The courts
have decided that buyers waive their right to sue after clicking the
"I accept" button when they install software. "If Firestone produces
tires with systemic vulnerabilities, they are liable," says Bruce
Schneier, chief technology officer of Counterpane Internet Security
Inc., a provider of network protection services. "If Microsoft
produces software with systemic vulnerabilities, they're not liable."

A better model for improving security may be the Y2K bug. Facing the
threat of widespread computer meltdowns at the millennium, industry
mobilized to change business practices and governments passed laws
requiring Y2K certification for tech gear. Companies underwent massive
campaigns to make certain they complied because they didn't want to be
held liable for damages. The Securities & Exchange Commission required
corporations to provide details of their Y2K efforts in quarterly
earnings reports.

There are signs that Microsoft is trying to change the way it develops
software. But it won't be enough to rely on one company to get it
right. To get serious about computer security, there must be
accountability.

Sager writes about computer security from New York. Greene covers
Microsoft from Seattle.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.