Secure Coding mailing list archives
Re: Why Software Will Continue to Be Vulnerable
From: Michael Silk <michaelslists () gmail com>
Date: Mon, 02 May 2005 12:31:57 +0100
Inline.. On 5/2/05, Jeff Williams <[EMAIL PROTECTED]> wrote:
What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software?Fire safety is physical, not tremendously complicated, and we have tons of actuarial data. Software security, on the other hand, is extremely difficult for anyone to measure -- it takes a lot of effort, even with the most advanced tools and knowledge. So there's no way for anyone to tell which software is secure. Many vendors make dramatically inflated claims about their product's security features and rarely get called on them. For example, there are dozens of vendors claiming that their technology solves the OWASP Top Ten -- which is ridiculous. Anyway, it's not surprising to me that consumers aren't seeking out security. Or that vendors aren't providing it for that matter. In my opinion, the market is broken because of asymmetric information, and it will never work until we find ways to make security more visible to everyone.
To whom, though? I honestly don't believe that the consumers will _EVER_ care, and I don't believe that should have to. At most maybe they should just need to keep an eye out for a sticker, or star-rating (government approved) or something. But as you say, 'security' is 'hard to measure', so an approach like that won't work. Maybe there is no answer, and the problem will never be fixed ... it's probably sad but true that companies won't allow 'security' to be added, or they will at least charge for it because it's now widely accepted that 'security' is 'feature' not a requirement. And consumers will never care; look at health warnings on cigarettes for example (at least in australia): "Smoking causes cancer.", yet people still smoke. It will be exactly the same with software. jmho... -- Michael
Current thread:
- Why Software Will Continue to Be Vulnerable Crispin Cowan (Apr 30)
- RE: Why Software Will Continue to Be Vulnerable Arian J. Evans (May 01)
- Re: Why Software Will Continue to Be Vulnerable Greenarrow 1 (May 01)
- Re: Why Software Will Continue to Be Vulnerable Crispin Cowan (May 01)
- Re: Why Software Will Continue to Be Vulnerable Dave Aronson (May 01)
- Re: Why Software Will Continue to Be Vulnerable Jeff Williams (May 01)
- Re: Why Software Will Continue to Be Vulnerable Michael Silk (May 02)
- Re: Why Software Will Continue to Be Vulnerable Kenneth R. van Wyk (May 02)
- Re: Why Software Will Continue to Be Vulnerable ljknews (May 02)
- Re: Why Software Will Continue to Be Vulnerable Crispin Cowan (May 03)
- Re: Why Software Will Continue to Be Vulnerable Michael Silk (May 03)
- Re: Why Software Will Continue to Be Vulnerable Crispin Cowan (May 01)
- <Possible follow-ups>
- re: Why Software Will Continue to Be Vulnerable Bill Cheswick (May 02)
- Re: re: Why Software Will Continue to Be Vulnerable Gunnar Peterson (May 02)
- Re: re: Why Software Will Continue to Be Vulnerable Blue Boar (May 03)