Schneier is off on a sue your way to security nirvana run again about software security: "The primary reason the IT security industry exists is because IT products and services aren’t naturally secure."
Naturally secure. Naturally secure. Naturally secure. I can’t seem to get it through my head. What the heck does "naturally secure" mean? Name any non-trivial asset or resource that is "naturally secure"? Now, up the ante with an intelligent adversary. Somebody, please – what is it that can be naturally secure against an intelligent adversary?
The notion of "natural" security in the face of an intelligent adversary is so fundamentally ignorant that the whole thing must be a charade. It isn’t even a pipe dream – it is an impossibility. Throw in the fact that IT resources are increasing in value and function and there is no doubt of that impossibility.
There is a comment to that same post attributed to "Bruce Schneier" and if it really is Bruce Schneier, then his motives become clear. He writes, "And nothing will change until you can sue that guy’s ass if his security products don’t work." Yeah, right.
Peter,
I find this post and your Computerworld completely disingenuous.
Much has been written about the economics of computer security and like many industries before it there has been resistance to change and accountability.
Once upon a time you couldn’t expect that your Doctor or your Engineer was accountable either until eventually people got regulations and such.
The history of new products and technologies is one of rapid new developments, snake-oil, eventual regulation as people come to expect a certain level of quality and accountability from the products and services they buy.
You attempt to make the point that software is somehow inherently different than other products without actually making a strong case that it is.
If I buy software that claims to provide certain features and benefits, and it doesn’t deliver, at what point can I expect that the developer/vendor had some fault? Should software vendors never be liable for faults in their software? Maybe just never liable for faults exploited by a third-party?
What about a lock vendor that says their lock is pick-proof and the it gets picked by the average joe. Should I be able to get restitution from them?
One of the best pieces I’ve read on the topic came from Cem Kaner – http://www.badsoftware.com/theories.htm.
I’ve tried to write about it a little on my blog as well but I think he does as good a job as any in explaining the multiple theories of liability that might apply to a given software security/quality situation.
Soylent Security
Soylent Security
IT Seat Belts
Once people, especially customers, come to expect something, companies may do it without even being sued or having laws about it.
But people, for all their pride in individuality, are strongly influenced by what everybody else does.
IT Security Industry
It’s always useful to ask provocative questions. Questions like “Do we really need X?” (or the equally provocative “Does Y matter?”) shouldn’t be dismissed with a simple Yes/No answer. Such questions call for an exploration of the true actual or potent…