Re: The problem is that user management doesn't demand security

[Stephen Galliver <periodicals () galliver cx>]

Although I write software for a living, I consume much more than I write -- 
much of it being COTS.  I expect the same could be said for most on this 
list.


--On Tuesday, December 09, 2003 11:52 AM -0500, George Capehart wrote:

If software customers/end-users held software vendors accountable for the
security of the software they buy, the software would be more secure than
it is now.


I admit this next question may point to a lack of imagination on my part, 
but as a customer/end-user, *how* do you hold a vendor accountable for 
security?


Buying from the competition is the most obvious idea, but with a market 
segment [1] in a race to the bottom (the cheapest set of the most 
features), there may not be a secure alternative.


Once you have chosen the best product you can, the vendor has your money. 
How then to apply pressure to squash bugs and fill holes?  The current 
model uses a mix of extortion (fix this hole or I release it to the world) 
and loss of brand value or reputation (fix this bug or everyone will know 
you don't support your customers).  Without passing judgment on the current 
model, is there another way?


I wonder if these issues point to the ultimate advantage of the open source 
paradigm: that software is released when it is ready, not rushed out the 
door to corner market share. [2]


I don't know the answers; I just ask the questions...

All the best,
Stephen Galliver


[1] Say, for example, personal finance software, or any other 
"non-commoditized" segment where there are few alternatives.
[2] Of course, open source has its own set of problems, but they're not 
relevant to our topic (I think).