Security Experts Debate If Markets or Legal Liability Will Ensure Secure Software
Consumer desire for unnecessary features has encouraged the development of insecure and unreliable software products, said Tenable Network Security CSO Marcus Ranum, during a debate on Wednesday about software liability at the RSA security conference in San Francisco.
Ranum's discussion partner, British Telecommunications' chief technology security officer and renowned cryptographer Bruce Schneier, however argued that introducing liability for software vendors will give them an incentive to build software with security in mind.
Right now consumers support the cost of unreliable software, Schneier said, adding that software vendors won't take security seriously until it's cheaper to do it than not to do it.
Liabilities are everything, because they change the economic incentives, Schneier said. Vendors shouldn't support all costs if something goes wrong because of their software, but they shouldn't get away without paying anything either, he said.
Schneier used the automotive and financial sectors as examples of industries where introducing liabilities has led to security improvements.
Cars got safer after courts decided to hold automotive manufactures responsible for serious defects and banks have implemented credit card security systems after they started being forced to reimburse customers for credit card fraud loses, he said.
We can't rely on the ability of consumers to reward the best vendor because pretty much all of them are bad and there aren't many options, Schneier said.
Ranum agreed, but said that this is because consumers already chose the mediocre and killed the companies that actually produced reliable software in the process.
"The invisible hand of the market has done its work. Dancing pigs is all we want," Ranum said, referring to the consumer's desire for new features rather than reliability, which is expressed by them buying new product versions that are not really necessary.
The solution is not mandating liability for software vendors, because this will benefit big companies who can afford to hire good lawyers and get away with paying less, Ranum said.
Determining the damage costs that result from the use of unreliable software is also very difficult to do. "How do we value how much it cost to get hacked?" Ranum asked.
The answer to forcing vendors to take security seriously lies with manipulating the market, he said. We need to stop buying software that's bad, keep using the one we already have and refuse to upgrade until the product is solid, Ranum said.
The issue of software liability is not new and it remains to be seen if governments will eventually step in with regulation or the market will react by refusing to buy bad products.
However, people on both sides of the barricade seems to agree that, for now, vendors have little, if any, incentive to invest in the development of secure software.