Vulnerability Management

Software Liability – Awful Idea

by  •  • Comments Off

Saw this article about the latest Microsoft vulnerability. Here is a choice quote:

"Richard Starnes, an information security professional with around 20 years’ experience in information security, incident response, computer crime investigation and cyberterrorism, said that legislation could be used to force Microsoft–and other software developers–to improve their code and take financial responsibility for their customers’ losses.

"I wonder how solid Microsoft’s coding would become if strategic governments around the world removed the liability shield that software manufactures now currently enjoy," Starnes said. "They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out.""

Software liability is an awful idea. Here’s why:

  • Liability works in favor of big players, since they are the only folks that could afford liability insurance. Smaller players would shrivel up and die, thanks to our progressive policies.
  • Liability for open source software must be assigned (assuming that what we are really worried about is how our computing habits and software choices affect others on the ‘Net – otherwise, we shouldn’t be concerned, right?) or we’ll need to prevent or control open source somehow.
  • The "good" hacking that gives individuals freedom and control over their software and systems would have to be further tightened and controlled. This is already a concern to many techies, so liability would make it worse.
  • It is unlikely that we could identify all vulnerabilities (i.e. people are human, stupid) and even if we did, we couldn’t really believe it.

And a final point from the article:

"Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn’t have made it out of beta 20 years ago," he added."

A lot has changed in the past 20 years. For one thing, people have more choices than ever in putting together their computer architectures. This complexity gives us flexibility and control, but also creates more risk. So be it, we got what we wanted (no, not security – useability and functionality).

Btw, the idea that today’s software wouldn’t get out of beta is pure speculation in a new world where everybody is out looking for vulnerabilities. That didn’t happen back then, but it doesn’t mean those vulnerabilities don’t exist. Plus, all of the basic unix services – smtp and finger come to mind – were available 20 years ago…