Secure Coding mailing list archives
Economics of Software Vulnerabilities
From: crispin at novell.com (Crispin Cowan)
Date: Mon, 19 Mar 2007 16:39:24 -0600
Ed Reed wrote:
Crispin Cowan wrote:Crispin, now believes that users are fundamentally what holds back securityI was once berated on stage by Jamie Lewis for sounding like I was placing the blame for poor security on customers themselves.
Fight back harder. Jamie is wrong. The free market is full of product offerings of every description. If users cared about security, they would buy different products than they do, and deploy them different than they do. QED, lack of security is user's fault.
I have moved on, and believe, instead, that it is the economic inequities - the mis-allocation of true costs - that is really to blame.
Since many users are economically motivated, this may explain why users don't care much about security :) A competitive free-market economy is really a large optimization engine for finding the most efficient way to do things, because the more efficient enterprises crush the less efficient. As such, I have a fair degree of faith that senior management is applying approximately the right amount of security to mitigate the threat that they face. If they are not doing so, they are at risk from competitors who do apply the right amount of security. What has made the security industry grow for the last decade has been the huge growth in connectivity. That has grow the attack surface, and hence the threat, that enterprises face. And that has caused enterprises to grow the amount of security they deploy.
Add the slowly-warmed pot phenomenon (apocryphal as it may be) - customers don't jump out of the boiling pot because they're too invested to walk away. Eventually I think they'll get fed up and there'll be a consumer uprising.
Why do you think it will be an uprising? Why not a gradual shift of the vendors just get better, exactly as fast as the users need them to?
Until then let's encourage better coding practices and secure designs and deep thought about "what policy do I want enforced".
Technologists figure out how to do stuff. Economists and strategists figure out what to do. We can encourage all we want, but we are just shouting into the wind until enterprise users demand better security. Crispin
Current thread:
- Economics of Software Vulnerabilities Ed Reed (Mar 06)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 12)
- Economics of Software Vulnerabilities Gadi Evron (Mar 12)
- <Possible follow-ups>
- Economics of Software Vulnerabilities Gary McGraw (Mar 13)
- Economics of Software Vulnerabilities Gadi Evron (Mar 13)
- Economics of Software Vulnerabilities Gary McGraw (Mar 13)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 19)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 20)
- Economics of Software Vulnerabilities Arian J. Evans (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities mudge (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 12)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 20)
- Economics of Software Vulnerabilities Wall, Kevin (Mar 20)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)