Security experts debate if markets or legal liability will ensure secure software

Security experts agree that vendors lack the incentive to produce secure software, but have different opinions on how to solve this

Consumer desire for unnecessary features has encouraged the development of insecure and unreliable software products, said Tenable Network Security CSO Marcus Ranum, during a debate on Wednesday about software liability at the RSA security conference in San Francisco.

Ranum's discussion partner, British Telecommunications' chief technology security officer and renowned cryptographer Bruce Schneier, however argued that introducing liability for software vendors will give them an incentive to build software with security in mind.

Right now consumers support the cost of unreliable software, Schneier said, adding that software vendors won't take security seriously until it's cheaper to do it than not to do it.

Liabilities are everything, because they change the economic incentives, Schneier said. Vendors shouldn't support all costs if something goes wrong because of their software, but they shouldn't get away without paying anything either, he said.

Schneier used the automotive and financial sectors as examples of industries where introducing liabilities has led to security improvements.

Cars got safer after courts decided to hold automotive manufactures responsible for serious defects and banks have implemented credit card security systems after they started being forced to reimburse customers for credit card fraud loses, he said.

We can't rely on the ability of consumers to reward the best vendor because pretty much all of them are bad and there aren't many options, Schneier said.

Ranum agreed, but said that this is because consumers already chose the mediocre and killed the companies that actually produced reliable software in the process.

"The invisible hand of the market has done its work. Dancing pigs is all we want," Ranum said, referring to the consumer's desire for new features rather than reliability, which is expressed by them buying new product versions that are not really necessary.

The solution is not mandating liability for software vendors, because this will benefit big companies who can afford to hire good lawyers and get away with paying less, Ranum said.

Determining the damage costs that result from the use of unreliable software is also very difficult to do. "How do we value how much it cost to get hacked?" Ranum asked.

The answer to forcing vendors to take security seriously lies with manipulating the market, he said. We need to stop buying software that's bad, keep using the one we already have and refuse to upgrade until the product is solid, Ranum said.

The issue of software liability is not new and it remains to be seen if governments will eventually step in with regulation or the market will react by refusing to buy bad products.

However, people on both sides of the barricade seems to agree that, for now, vendors have little, if any, incentive to invest in the development of secure software.

Join the CSO newsletter!

Error: Please check your email address.

More about British TelecommunicationsetworkRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts