Don't rush software security by passing laws

Bruce Schneier writes:
If we expect software vendors to reduce features, lengthen development cycles and invest in secure software development processes, it needs to be in their financial best interests to do so. If we expect corporations to spend significant resources on their own network security -- especially the security of their customers -- it also needs to be in their financial best interests.

Liability law is one way to make it in those organisations’ best interests. If end users could sue software manufacturers for product defects, then the cost of those defects to the software manufacturers would rise. Manufacturers would then pay the true economic cost for poor software, and not just a piece of it. So when they balance the cost of making their software secure versus the cost of leaving their software insecure, there would be more costs on the latter side. This would provide an incentive for them to make their software more secure.
Bruce - I support your general reasoning, but please don't call for governments to pass laws in this respect. We all know what kind of laws they're going to come up with. They're going to be onerous, they are going to be stupid, and they're going to impose a bureaucracy that will raise entry costs so that it will become nearly impossible to start up a small software business without a serious amount of venture capital to begin with.

It's good to call for the culture to change, but the requirement for change should come from the users. No one likes insecure software. No one likes when their computer is hijacked. Microsoft has done some serious progress in the security area lately - IIS6 is much more secure than IIS5; Windows XP was more secure than 2000, and Windows Vista is still a good deal more secure than XP.

This is evidence that market pressures are working. People are already deciding what software to use on the basis of what is more secure. The more reliable, more secure, more trustworthy options are prevailing. In 10 years, the landscape in software security will be much better than it is today, and the standards will have become higher; progress is already taking place. What we DON'T need is legislation to rush this change and destroy the software market by transforming it into a highly regulated industry till kingdom come.


Popular posts from this blog

When monospace fonts aren't: The Unicode character width nightmare

"Unreachable" beauty standards

Is the internet ready for DMARC with p=reject?