ten sigma

In this QA session over in Computer World’s security section, David Rice, the author of Geekonomics: The Real Cost of Insecure Software (Addison-Wesley Professional, 2007) points out the glaringly obvious fact that buyers in the security software market have nearly no leverage when things go wrong.

He makes two extremely valid points:

1. The information in the marketplace is nearly entirely asymmetric
2. Software producers have no incentive to produce secure software

Where we differ is in how he would solve the problem. David proposes that the best way to incentivize companies to produce good software is to adopt a model similar to the carbon emissions model whereby any company that has a vulnerability that shows up on some CERT list is taxed. The problems with this solution are many.

1. Who says which lists are to be the references? Do we have some industry panel gather to do this? That is just another case of the fox watching the henhouse
2. Who gets the money when companies are taxed? It either has to go to the government, who either keeps it or disburses it to companies who own that particular piece of software. But security professionals are a very fickle bunch, and many companies have policies not allowing the disclosure of which security applications they are using.
3. This still does not put any power into the hands of the buyers. The information asymmetry remains as high as ever, if not even getting worse, as companies will fight like hell to reduce the levels of the vulnerabilities in order to avoid massive tax bills

So what is the solution? Empower the buyers of security software in your organization to negotiate contracts with teeth in them. Every organization is going to put a different number on the cost of a vulnerability so putting a blanket number on it as in the carbon emissions model is far too blunt a tool. Let them assign their own values to different levels of vulnerabilities and simply put it in their sales contracts. Most software companies sales organizations are so hungry for revenue they will have to capitulate, except for maybe the very largest at first. But if this catches on, even they would have to submit to market forces.

David’s idea of applying traditional economic theory and market dynamics to the security software market is a great one. But let’s not then diverge from market theory to apply the punishments.

Tags: development, legal, security, software //