Re: Why Software Will Continue to Be Vulnerable

["Jeff Williams" <jeff.williams () aspectsecurity com>]

What really mystifies me is the anlogy to fire insurance. *Everyone*
keeps their fire insurance up to date, it costs money, and it protects
against a very rare event that most fire insurance customers have never
experienced. What is it that makes consumers exercise prudent good
sense for fire insurance, but not in selecting software?


Fire safety is physical, not tremendously complicated, and we have tons of 
actuarial data. Software security, on the other hand, is extremely difficult 
for anyone to measure -- it takes a lot of effort, even with the most 
advanced tools and knowledge.


So there's no way for anyone to tell which software is secure.  Many vendors 
make dramatically inflated claims about their product's security features 
and rarely get called on them.  For example, there are dozens of vendors 
claiming that their technology solves the OWASP Top Ten -- which is 
ridiculous.


Anyway, it's not surprising to me that consumers aren't seeking out 
security.  Or that vendors aren't providing it for that matter.  In my 
opinion, the market is broken because of asymmetric information, and it will 
never work until we find ways to make security more visible to everyone.


I did a talk on this at the NSA High Confidence Software and Solutions 
conference a few weeks back.  The slides are here 
http://www.aspectsecurity.com/documents/Aspect_HCSS_Brief.ppt.


--Jeff

Jeff Williams
Aspect Security, Inc.
www.aspectsecurity.com