Insecure Software Costs US $180B per Year - Application and

[robert at webappsec.org (robert at webappsec.org)]

I think many companies are working on making their code more secure however without some sort of 
penality to the business the others aren't going to invest in security. This in particular is why
I like what PCI has done (as an example) enforcing 'some' bare requirements/penalties for not doing
While it isn't perfect it's something.

I've spoken with a few organizations debating penalizing a developer financially if 
they have vulnerabilities in their code. It is actually pretty difficult to enforce
without the proper training/policies/procedures in place. I think if a tax existed 
this would force companies to develop these sorts of programs since it will most likely
be less expensive than paying the fine. 

My $1.50

Regards,
 - Robert Auger
http://www.webappsec.org/
http://www.cgisecurity.com/


> --===============1159861409==
> Content-Type: multipart/signed; boundary=Apple-Mail-774--974102641; micalg=sha1;
>       protocol="application/pkcs7-signature"
>
>
> --Apple-Mail-774--974102641
> Content-Type: text/plain;
>       charset=US-ASCII;
>       format=flowed;
>       delsp=yes
> Content-Transfer-Encoding: 7bit
>
> FYI, there's a provocative article over on Dark Reading today.
>
> http://www.darkreading.com/document.asp?doc_id=140184
>
> The article quotes David Rice, who has a book out called   
> "Geekconomics: The Real Cost of Insecure Software".  In it, he tried  
> to quantify how much insecure software costs the public and, more  
> controversially, proposes a "vulnerability tax" on software  
> developers.  He believes such a tax would result in more secure  
> software.
>
> IMHO, if all developers paid the tax, then I can't see it resulting in  
> anything other than more expensive software...  Perhaps I'm just  
> missing something, though.
>
> Cheers,
>
> Ken
>
> -----
> Kenneth R. van Wyk
> SC-L Moderator
> KRvW Associates, LLC
> http://www.KRvW.com
>
>
>
>
>
> --Apple-Mail-774--974102641
> Content-Disposition: attachment;
>       filename=smime.p7s
> Content-Type: application/pkcs7-signature;
>       name=smime.p7s
> Content-Transfer-Encoding: base64
>
> MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGdjCCAy8w
> ggKYoAMCAQICEE3TNKjT6vVPziZ4GZOH6N4wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
> JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
> ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDkxNTEzMzAxM1oXDTA4MDkxNDEzMzAx
> M1owgYoxEDAOBgNVBAQTB1ZhbiBXeWsxGDAWBgNVBCoTD0tlbm5ldGggUmljaGFyZDEgMB4GA1UE
> AxMXS2VubmV0aCBSaWNoYXJkIFZhbiBXeWsxGzAZBgkqhkiG9w0BCQEWDGtlbkBLUnZXLmNvbTEd
> MBsGCSqGSIb3DQEJARYOa2VuQHZhbnd5ay5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
> AoIBAQCqSxE6IaWzPYQK1MHK/5vFDNb7GmfI/WVjnBVDvyg2wC0EI1zhMGCRJtE78wPRshTg7kC5
> B8W2qNBIxRO8bkU3+Qw8ZRFjPz8EKDoxJuK6byfip64h5Q/HcL6JWNPRrHZQXwpEisehEgytMOJs
> JAoLzHUqi2zVz6Wq+NDhtmOIlegvnlcLiHY+IxZaK4bLe/p3717OtswZtJ+xQUS5J9DUf99PIR8q
> DWqt/fFBqhQ9a2zewPH/+Jrwnhl/2WdkCWBEn0kkz9J77hNVe7O0NAKGTirWkU3JKY39wCjb7pf2
> 0TNtoFvfj6oTTOwEdvIZkm6C/HMCf4Cwpc+zlLG6VhzlAgMBAAGjOTA3MCcGA1UdEQQgMB6BDGtl
> bkBLUnZXLmNvbYEOa2VuQHZhbnd5ay5vcmcwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
> gQC7cfuLAK0R/H9LyvtBl4+8wt64B7eyTdQDQTyRUyH1IfJAPgXcG8edBPV/3ff6LOIf5bI0MBjF
> HjyavBM8532SVgzs+aadJ3gA8OFDnAAcA8lL0vgx1UJATWLneTxNDz5cauUdTpUAckw1V6tQ/erB
> a2BBcLPSdoT9P2B90LMPQDCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNV
> BAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE
> ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
> aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ
> ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYy
> MzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM
> dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkq
> hkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6
> YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+
> B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8E
> CDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQ
> ZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UE
> AxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+s
> vsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydx
> VyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggMQ
> MIIDDAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
> KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQTdM0
> qNPq9U/OJngZk4fo3jAJBgUrDgMCGgUAoIIBbzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
> CSqGSIb3DQEJBTEPFw0wNzExMjkyMjQ3MDlaMCMGCSqGSIb3DQEJBDEWBBSyteyFAANif1U5spNG
> +rNDEWeLejCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl
> IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls
> IElzc3VpbmcgQ0ECEE3TNKjT6vVPziZ4GZOH6N4wgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYD
> VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMj
> VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEE3TNKjT6vVPziZ4GZOH6N4wDQYJ
> KoZIhvcNAQEBBQAEggEAn7HQrs0Uu05KKl1aFqFrYpZlXHMh4CDVWvbhdb+EpYESr1qo4zi66eqn
> jO2ahM0ZkiVCJD2Nk+z68x7w6aQTw+DMPBL2/N9TkpTuh6NPjA/X12mY5DNoui9vEpj+vhunuQHB
> jJQewOpfw4vjNfMdFPuKHJJ0X+MiipoQ8y7dQJjIX+epjtkVkKT93KVZM1L+cgqe8NUFZuKYC09r
> qEyU+i7bsUug+AwqlHYsOd4b4T+s3dvhLIohjqGR9+5RLxFbTzPRgCvFo1A4yP/VME++cdntnIhK
> gz6AQOGQ/ZZpX/0XEIjS0NXTeJ5w7mUitU/KWAjKpt+8BL1K2dp6do3IWQAAAAAAAA==
>
> --Apple-Mail-774--974102641--
>
> --===============1159861409==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
> --===============1159861409==--