We seem to be starting out 2007 rehashing old ideas – especially bad ones. Schneier has a new/old posting on software liability on his blog today. I guess it is time for me to rehash the counterargument that outlines why software liability is a bad idea.
Here is the opener from an old Computerworld article I wrote on the topic:
All of you who support software liability, do me this favor — the next time you see a software developer, just walk up to him and slap him in the face! All this latent hostility is making you come up with really, really bad ideas.
You see, liability proponents often hide their discussions of liability behind "evil" big companies such as Microsoft, but the fact remains that they’re targeting each and every software developer out there, because every developer codes vulnerabilities into their programs.
(By the way, I was just kidding about the whole slap in the face thing.)
Here is a summary of my solution:
Software Safety Data Sheets modeled after the chemical industry’s Material Safety Data Sheets that describe the interactions of a chemical with its environment. The SSDS would include checksums on every file, processes and subprocesses, file system ACLs, input buffer sizes for every variable, all network ports used, shared DLLs and other files, and anything else smarter people than me deem necessary to identify how software interacts with its environment. This policy (XML document) would then be imported into my Host Intrusion Prevention solution.