Book Review: Geekonomics: The Real Cost of Insecure Software

[InfoSec News <alerts () infosecnews org>]

http://books.slashdot.org/books/08/01/21/1513226.shtml

[http://www.amazon.com/exec/obidos/ASIN/0321477898/c4iorg  - WK]

Author: David Rice
Pages: 362
Publisher: Addison-Wesley
Rating: 9
Reviewer: Ben Rothke
ISBN: 978-0321477897
Summary: How insecure software costs money and lives

"First the good news in a fascinating and timely new book Geekonomics: 
The Real Cost of Insecure Software, David Rice clearly and 
systematically shows how insecure software is a problem of epic 
proportions, both from an economic and safety perspective. Currently, 
software buyers have very little protection against insecure software 
and often the only recourse they have is the replacement cost of the 
media. For too long, software manufactures have hidden behind a virtual 
shield that protects them from any sort of liability, accountability or 
responsibility. Geekonomics attempts to stop them and can be deemed the 
software equivalent of Unsafe at Any Speed. That tome wanted us against 
driving unsafe automobiles; Geekonomics does the same for insecure 
software."

Now the bad news we live in a society that tolerates 20,000 annual 
alcohol-related fatalities (40% of total traffic fatalities) and cares 
more about Brittany Spears' antics than the national diabetes epidemic. 
Expecting the general public or politicians to somehow get concerned 
about abstract software concepts such as command injection, path 
manipulation, race conditions, coding errors, and myriad other software 
security errors, is somewhat of a pipe dream.

Geekonomics is about the lack of consumer protection in the software 
market and how this impacts economic and national security. Author Dave 
Rice considers software consumers to be akin to the proverbial crash 
test dummy. This combined with how little recourse consumers have for 
software related errors, and lack of significant financial and legal 
liability for the vendors, creates a scenario where computer security is 
failing.

Most books about software security tend to be about actual coding 
practices. Geekonomics focuses not on the code, but rather how 
insecurely written software is an infrastructure problem and an economic 
issue. Geekonomics has 3 main themes. First software is becoming the 
foundation of modern civilization. Second software is not sufficiently 
engineered to fulfill the role of foundation. And third economic, legal 
and regulatory incentives are needed to change the state of insecure 
software.

The book notes that bad software costs the US roughly $180 billion in 
2007 alone (Pete Lindstrom's take on that dollar figure). Not only that, 
the $180 billion might be on the low-end, and the state of software 
security is getting worse, not better, according the Software 
Engineering Institute. Additional research shows that 90% of security 
threats exploit known flaws in software, yet the software manufacturers 
remain immune to almost all of the consequences in their poorly written 
software. Society tolerates 90% failure rates in software due to their 
unawareness of the problem. Also, huge amount of software problems 
entice attackers who attempt to take advantage of those vulnerabilities.

The books 7 chapters are systematically written and provide a compelling 
case for the need for security software. The book tells of how Joseph 
Bazalgette, chief engineer of the city of London used formal engineering 
practices in the mid-1800's to deal with the city's growing sewage 
problem. Cement was a crucial part of the project, and the book likens 
the development of secure software to that of cement, that can without 
decades of use and abuse.

One reason software has significant security vulnerabilities as noted in 
chapter 2, is that software manufacturers are primarily focused on 
features, since each additional feature (whether they have real benefit 
or not) offers a compelling value proposition to the buyer. But on the 
other side, a lack of software security functionality and controls 
imposes social costs on the rest of the populace.

Chapter 4 gets into the issues of oversight, standards, licensing and 
regulations. Other industries have lived under the watchful eyes of 
regulators (FAA, FDA, SEC, et al) for decades. But software is written 
removed from oversight by unlicensed programmers. Regulations exist 
primarily to guard the health, safety and welfare of the populace, in 
addition to the environment. Yet oversight amongst software programmers 
is almost nil and this lack of oversight and immunity breeds 
irresponsibility. The book notes that software does not have to be 
perfect, but it must rise to the level of quality expected of something 
that is the foundation of an infrastructure. And the only way to remove 
the irresponsibility is to remove the immunity, which lack of regulation 
has created a vacuum for.

Chapter 5 gets into more detail about the need to impose liability on 
software manufacturers. The books premise is that increased liability 
will lead to a decrease in software defects, will reward socially 
responsible software companies, and will redistribute the costs 
consumers have traditionally paid for protecting software from 
exploitation, shifting it back to the software manufacturer, where it 
belongs.

Since regulations and the like are likely years or decades away, chapter 
7 notes that short of litigation, contracts are the best legal option 
software buyers can use to leverage in address software security 
problems. Unfortunately, most companies do not use this contractual 
option to the degree they should which can benefit them.

Overall, Geekonomics is an excellent book that broaches a subject left 
unchartered for too long. The book though does have its flaws; its 
analogies to physical security (bridges, cars, highways, etc.) and 
safety events don't always coalesce with perfect logic. Also, the trite 
title may diminish the seriousness of the topic. As the book 
illustrates, insecure software kills people, and I am not sure a corny 
book title conveys the importance of the topic. But the book does bring 
to light significant topics about the state of software, from legal 
liability, licensing of computer programmers, consumers rights, and 
more, that are imperatives.

It is clear the regulations around the software industry are inevitable 
and it is doubtful that Congress will do it right, whenever they 
eventually get around to it. Geekonomics shows the effects that such 
lack of oversight has caused, and how beneficial it would have been had 
such oversight been there in the first place.

To someone reading this review, they may get the impression that 
Geekonomics is a polemic against the software industry. To a degree it 
is, but the reality is that it is a two-way street. Software is built 
for people who buy certain features. To date, security has not been one 
of those top features. Geekonomics notes that software manufacturers 
have little to no incentive to build security into their products. Post 
Geekonomics, let's hope that will change.

Geekonomics will create different feelings amongst different readers. 
The consumer may be angry and frustrated. The software vendors will know 
that their vacation from security is over. It's finally time for them to 
get to work on fixing the problem that Geekonomics has so eloquently 
written about.

-=-

Ben Rothke is a security consultant with BT INS and the author of 
Computer Security: 20 Things Every Employee Should Know.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn