The cost of secure software

Software that needs to be secure against a motivated attacker - say, a hacker - costs a factor of magnitude more to produce than software that only needs to protect against incidental abuse. The security panel at the Embedded Software Summit estimated the total cost at less than $1,000, but more than $100 per line.

That tells you why all versions of Windows prior to 2003 and Vista, and all existing releases of Linux and OS X, are hackable crap.

Sadly, though, security does not seem to be something the median user makes a purchase decision on. The big new feature of Windows Vista is significantly increased security. For me personally, this was important enough that I went out and bought a new machine specifically to run Vista. It works great.

Yet, most other people keep dwelling on things like: "My buggy Windows XP drivers do not work."

Granted, for every day users, the security is not nearly there yet. Microsoft has improved greatly in recent years, largely as a response to negative PR about how Windows is "hackable". But other companies have not experienced the flak, and writing secure software is expensive. So they don't.

It will take a while before secure software becomes an industry-wide standard. And to some extent, insecurity will probably always be present. When most people start out programming, they aren't experienced enough to write secure code.


Popular posts from this blog

When monospace fonts aren't: The Unicode character width nightmare

"Unreachable" beauty standards

Is the internet ready for DMARC with p=reject?