Laws to Punish Insecure Software Vendors?

Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure." Yeah that'll work.

Everyone would be in violation

[alen]

Linux, Solaris, HP-UX, MS WIndows and a bunch of other products have holes in them that SANS tells others about. Has there ever been a piece of software with no security holes?

Re:Freedom of Speech

[cperciva]

This raises some constitutional issues - Do I have the right of freedom of speech ( as code has been found to be in some cases ) to utter an incorrect program?

Do you have the right of freedom of speech to utter other potentially hazardous comments? Yelling "FIRE!" in the middle of a crowded theatre is dangerous, and illegal. If you're engineering a bridge, does "freedom of speech" give you the right to design it so that it will collapse when people try to use it?

There is a wide legal history for freedom of speech ending when it causes harm to others.

Just like a LLP

[Mr.+Fred+Smoothie]

The software producer's liability should be limited to the amount of their financial return on the software, except in cases where gross negligence is apparent. If I never made a dime of the sale of the software, I should be liable only for that $0.

Legislation vs. Certification

[gotan]

It's really very basic: ensuring better security is costly, and handling the threat of liabilities too (for example by buying insurance to cover the risk). These are costs and risks a large corporation (like Microsoft) may be able to handle, but for small outfit, or small open source projects it's much harder. Something the size of mozilla, or the linux kernel can afford good QA and will find backers to handle the risks, but small projects would be forced under the cover of some larger organisation or the distributors. Also, in the case of open source projects, the sponsors would demand some say in the development process, or maybe even licensing of the software. But small software makers are in a similar position: To handle the risk of litigation they'd need a backer, they won't have the resources until their Software sells well.

By charging higher premiums to insure companies using software with a bad track record, there are already market forces in place: include that difference in premiums in the TCO-calculations microsoft is so fond of to prove that Windows is cheaper than any competition, and make management aware of it (and make them wonder why that insurance company wants higher premiums for insuring against damages from security holes in that software).

Legislation could hurt many a small software maker, and it would also be subject to heavy lobbying from Microsoft to see to it that their interests are hurt the least, a better idea would be an independant (that's the hard part) organisation providing certification of software. Once that is established there could be legislation demanding minimum standards for software used in certain critic areas.

That way each software maker could choose how much to invest in security and QA, and it would be more transparent for customers how secure a product really is, so they wouldn't have to rely on the software-makers advertising for that kind of information. In effect the insurance conditions and premiums for different kinds of software are already an indicator for its security, and the insurance companies probably have a high interest in accurately estimating the risks, so probably they should play some part in ensuring the proposed organisations independance.

Unsafe at any speed

[Animats]

I've been proposing this for years. What's needed is to require commercial software companies to provide a "full warranty", as defined in current Federal law.

It took legislation to make cars safe. The auto companies hated it. They fought every inch of the way. But it made the auto industry grow up and make their products really work, no matter what.

Every major industry goes through this transition, where society insists that the technology work safely. Railroads did. Steam boilers did. Autos did. Civil engineering did. Electric power did. It's time for computing to do it.

It's time for the software industry to grow up and stop hiding behind one-sided licensing agreements. Software is too important in modern life to be as crappy as it is.