Last week’s WSJ has an article on software liability. This is absolutely the software industry’s worst nightmare. I don’t understand why people don’t understand this. Mark my words – every single piece of software you own is vulnerable today, right now. I am not kidding, I am certain of it. And you should be, too.
Software liability creates a blank check for people with grudges. It will completely eliminate Open Source. It will create world of "black boxes" with warranties that are invalidated as soon as you take them out of the box. [This will be a huge boon for Sony Playstation, Microsoft's Xbox (ever wonder why they love their very own "black box" appliance?), TiVo, and any other "black box" because that will be the only way they will chance selling product.]
And it will be very, very, very expensive.
I think you should support it as long as you are willing to overhaul your entire existing computer environment.
Check here for a previous related post. The real problem is not bad software, it is untethered egotists constantly seeking out new vulnerabilities.
A solution: Software Safety Data Sheets modeled after the chemical industry’s Material Safety Data Sheets that describe the interactions of a chemical with its environment. The SSDS would include checksums on every file, processes and subprocesses, file system ACLs, input buffer sizes for every variable, all network ports used, shared DLLs and other files, and anything else smarter people than me deem necessary to identify how software interacts with its environment. This policy (XML document) would then be imported into my Host Intrusion Prevention solution.
Whew! Nice to hear such clarity on liability.
I am very skeptical about the ability to clean up the coding since features always trump design in our free market society – for a nice European persective on the ‘right way’ to write code see Clive Robinson’s comment at:
http://www.schneier.com/blog/archives/2005/02/regulation_liab.html#comments
IMHO his advice is DOA (even a fine German company like SAP has some of the craziest spaghetti code imaginable). I say that as someone who has tried to secure common applications only to repeatedly discover that vendors can’t tell you have their applications really function – such as reading a Microsoft paper on what network ports are needed for an application (they specify unneeded ports and forget others that are critical).
The best I can imagine is that we manage the risk and those whose governance (or luck) fail them will go extinct as ‘better’ solutions come along. (Will we see that with Microsoft losing market share to Firefox or Apple?)