Secure Coding mailing list archives
Economics of Software Vulnerabilities
From: ed.reed at aesec.com (Ed Reed)
Date: Tue, 20 Mar 2007 10:54:09 -0400
Steven M. Christey wrote:
On Mon, 19 Mar 2007, Crispin Cowan wrote:Since many users are economically motivated, this may explain why users don't care much about security :)But... but... but... I understand the sentiment, but there's something missing in it. Namely, that the costs related to security are not really quantifiable yet, so consumers are not working with the best information. Then there's simple lack of understanding, such as that exmplified by an individual consumer - their computer gets really bogged down and slow, and they don't know what's happening, so they go buy a new computer, when it was "just" a ton of spyware from surfing habits that they didn't know were unsafe, or they were running some zombie that was sucking up all their bandwidth for warez distribution.
That's the sort of economic inefficiences that I'm talking about - unfortunately, economic forces operate on scales of decades and centuries, not months. While we're still in this phase of rapid expansion of Information Technology growth software moves too fast for regulations and sluggish consumer reaction to force changes on suppliers.
Eventually I think they'll get fed up and there'll be a consumer uprising.Why do you think it will be an uprising? Why not a gradual shift of the vendors just get better, exactly as fast as the users need them to?I really really wish for an uprising, but unfortunately I'm not too optimistic right now. Off the top of my head, I can't think of any consumer uprisings in other industries, although the US' recent decline in fuel-inefficient vehicles is sort of close. Didn't some large brick-and-mortar companies heavily criticize the software industry a couple years ago? I don't know how that played out.
Not all of these are consumer uprisings - some are, some aren't - but I think they're all examples of the kinds of economic adjustments that occur in "mature" markets. * Rise and Fall of unions (the triumph of worker safety and rights over egregious industrial working conditions, and the subsequent triumph of increased productivity over lethargic labor responsiveness to international competitive pressures) * "Unsafe at any speed" (the triumph of consumer safety over industrial laziness) * Underwriter Laboratories (the triumph of the fire insurance industry over shoddy electrical manufacturers) * Alternating Current power distribution (still waiting for consensus on 110v/220v disagreement) * The Rise and Fall and Rise of AT&T (industry consolidation, followed by forced divestiture, followed by reconsolidation) * demise of IBM PS2 (the triumph of commoditization over monopoly control) * VHS (vs BetaMax - the triumph of content over technology) Note that only the last two of these occurred "quickly" - within a decade or so or the change that set the stage for them, and they might both be better characterized as featurism competition. But you get my point - Auto safety wasn't an issue in the 1st half century of the industry, it took unions a couple of centuries to gain strength in the face of the industrial revolution (and another half century to squander their good will), and it took decades for the fire insurance industry to develop and respond to the new dangers introduced by poor electrical wiring. Software and computer technology are having similar kinds of sweeping productivity gains (though it took 40 years or longer for the effect to gain enough momentum to be really measurable). And we have already seen the costs of shoddy product born mainly by the end consumers, rather than by the producers. I'm just saying that over the long run, that imbalance will shift and even out - I just hope to live to see it, whether it happens before I retire, or not. Ed (whose beard IS gray and who DOES mutter to himself that you can't add security to a system if its not secure to begin with)
- Steve
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070320/2029a94e/attachment-0001.html
Current thread:
- Economics of Software Vulnerabilities Ed Reed (Mar 06)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 12)
- Economics of Software Vulnerabilities Gadi Evron (Mar 12)
- <Possible follow-ups>
- Economics of Software Vulnerabilities Gary McGraw (Mar 13)
- Economics of Software Vulnerabilities Gadi Evron (Mar 13)
- Economics of Software Vulnerabilities Gary McGraw (Mar 13)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 19)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 20)
- Economics of Software Vulnerabilities Arian J. Evans (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities mudge (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 12)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 20)
- Economics of Software Vulnerabilities Wall, Kevin (Mar 20)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities security curmudgeon (Mar 23)
- Economics of Software Vulnerabilities Gunnar Peterson (Mar 23)