Customer Demand

[goertzel_karen at bah.com (Goertzel, Karen [USA])]

I think we need a multifaceted approach that includes supply side, demand side, insurance companies, consumer 
protection organisations, etc. etc. 

We need regulation with legal penalties - as exist for airlines, for example - for software firms that fail to meet 
minimal standards for quality - which must be defined to include security (using demonstrated linkages to existing 
legislation as a catalyst - i.e., non-secure software makes it impossible to be HIPPA, FISMA, SOX, PCI, etc. compliant).

We need a system of evaluation (like Good Housekeeping seal of approval, but NOT like Common Criteria) for consumers to 
be able to easily determine which software meets the minimum standards for "goodness".

We need the insurance firms that are now offering security and CIP related products to add software security criteria 
to their definitions, so that their customers who buy demonstrably secure software get breaks on their premiums, and 
those that willfully engage in risky behaviours - i.e., persisting in use of bad software - are penalised by higher 
premiums or, ultimately, having their coverage dropped.

We need to educate end users as we did with seatbelts and cigarettes - a series of really good public service 
advertisements that clearly and engagingly depict what happens as a result of AVOIDABLE (by developers) 
security-related failings in software. With outlets like YouTube, the budget to broadcast such advertisements would be 
significantly smaller than it would have been when only the media outlets were big commercial networks.

Just some ideas - no doubt some better than others. The real message is "Yes, we need to change consumer behaviour" - 
but that alone won't get us where we need to go. 

Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_karen at bah.com
________________________________________
From: sc-l-bounces at securecoding.org [sc-l-bounces at securecoding.org] On Behalf Of Brad Andrews [andrews at 
rbacomm.com]
Sent: Friday, August 21, 2009 12:08 PM
To: sc-l at securecoding.org
Subject: [SC-L] Customer Demand

While no customer is likely to say they don't care about software
working now that we are past Y2K, they don't think about it at all and
are unlikely to allow any schedule slippage to allow for making sure
that is true.

Customers only really care about the things they will pay for.  Many
companies claim they "can't stand" poor software or services, but they
still pay for them, so they will keep getting them.

Until we convince them that good security really is important and that
they must demand and pay for it, we won't make the progress we want to
make.

How many companies wouldn't even be doing the PCI level of effort if
they weren't forced to do so?  How many strictly limit it to their
"PCI environment" rather than looking at the risk to the whole
enterprise?  Even major breaches don't help since the "it can't happen
here" attitude is common all over, in spite of the fact it is a risky
stance.

While part of this is just a cynical rant, I think the base point is
that we have a whole lot more selling to do on the need for software
security before we can properly place it throughout the curriculum.
That sales job is hard.  The fact a few people have "gotten it"
doesn't mean most have or that we are completely ready for the next
step.

I realize many here may not be saying that, but that is the message I
get stepping back.  And I am a dreamer/visionary.  I like to think
well ahead of things, but focusing too much there makes us likely to
continue to be a niche area, leaving lots of vulnerabilities.

Wouldn't a better focus be on the customer demand end?  Stirring that
up will do more to advance secure development than any number of
maturity models.  Unfortunately, it is a much more difficult task.  I
would bet it is also not as conceptually interesting to many.

--

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Martin Gilje Jaatun <secse-chair at sislab.no>:

> His stance on this
> is that "if security were important to the customer, the customer would
> provide and prioritize security requirements". To me, this is a bit like
> saying "If the customer doesn't explicitly state that the software
> should be Y2k-proof, he/she is not really bothered about it".

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________