Sue Companies, Not Coders


Wired News: Sue Companies, Not Coders

So I was doing my normal 5:45pm last-sip of the latte news-feed jive and came accross this article by Bruce Schneier on Wired. Really good article and I can totally agree with his points. Give it a quick read if your interested in this stuff like me. Taken from expierence where I have been threateded with a lawsuit in the past because a client didn’t like the way i setup a securley-modded out of the box software app, something like this hit’s home.

ProgrammerAt a security conference last week, Howard Schmidt, the former White House cybersecurity adviser, took the bold step of arguing that software developers should be held personally accountable for the security of the code they write.

He’s on the right track, but he’s made a dangerous mistake. It’s the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits.

To understand the difference, it’s necessary to understand the basic economic incentives of companies, and how businesses are affected by liabilities. In a capitalist society, businesses are profit-making ventures, and they make decisions based on both short- and long-term profitability. They try to balance the costs of more-secure software — extra developers, fewer features, longer time to market — against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales.

My GOD yes.. Coming from the expierence of attempting to run your own business for 4 years, this is the damned truth..

The result is what you see all around you: lousy software. Companies find that it’s cheaper to weather the occasional press storm, spend money on PR campaigns touting good security, and fix public problems after the fact than to design security right from the beginning.

The problem with this analysis is that most of the costs of insecure software fall on the users. In economics, this is known as an externality: an effect of a decision not borne by the decision maker.

Normally, you would expect users to respond by favoring secure products over insecure products — after all, they’re making their own buying decisions based on the same capitalist model. But that’s not generally possible. In some cases, software monopolies limit the available product choice; in other cases, the “lock-in effect” created by proprietary file formats or existing infrastructure or compatibility requirements makes it harder to switch; and in still other cases, none of the competing companies have made security a differentiating characteristic. In all cases, it’s hard for an average buyer to distinguish a truly secure product from an insecure product with a “boy, are we secure” marketing campaign.

The end result is that insecure software is common. But because users, not software manufacturers, pay the price, nothing improves. Making software manufacturers liable fixes this externality.


Sorry, the comment form is closed at this time. Mad? You can blame blog spammers.

Powered by WordPress with GimpStyle Theme design by Horacio Bella.
Entries RSS feed. Valid XHTML and CSS.