Businesses Want Software Companies To Take Responsibility For Security Holes
from the face-up-to-what-they've-done-wrong dept
The debate has gone on forever about just how liable software companies should be for security holes that are later found in their software products. Both sides make compelling points. Those who are constantly patching and dealing with the security holes say that the software makers should be held responsible for their poor product design. Software developers point out that designing without any bugs or security holes is simply impossible – and making the company liable for any problems would destroy most software companies (especially small, independent developers). Either way, companies are sick of taking the blame for not patching security holes and are saying that software developers, even if they don’t accept liability for vulnerabilities, at least need to accept some responsibility for making the situation better. The Business Roundtable, a trade group of CEOs, is calling on software companies to do a better job building in security, while also making it easier to update and secure systems when new vulnerabilities are found. They’re also calling on the companies to continue to support older versions of their software after newer versions are on the market. They admit that companies do need to be vigilant about protecting their IT – but they want more help from the software developers. It seems like this is an obvious opportunity for managed security vendors to step up and offer solutions in the middle. The security problems are not going to go away – if anything, they’re going to get worse. What needs to be done, however, is to look for a better solution to forcing an in-house IT staff to be ever-vigilant about patching every single application every time a new vulnerability is found.
Comments on “Businesses Want Software Companies To Take Responsibility For Security Holes”
Liability a good thing
I write software for a living, and I think that some sort of limited liability for errors in software would be a good thing for just about everyone. I say limited, because of course if you use my code in some way that makes your (and my) total risk exposure huge, that’s not my fault.
At least, not unless I told you it was safe do that.
But the idea that all software companies can put out these EULAs that disclaim all liability is evil. The unfortunate UCITA that gives these the force of law is utter evil. I like Ron Burk’s idea of a virus that automatically clicks any button that says “I agree” so consumers could disclaim ever having seen the EULA at all.
In other words, if I make millions of dollars dependent on the working of say, Microsoft Access, don’t do backups, and then try to recover those millions, that shouldn’t fly — unless they told me it was safe (and they do). But I should be able to recover something “at all” in the event the loss was due to their faulty code. It would motivate them to make the basic stuff better instead of constantly adding “features”.
Sadly, it doesn’t matter what big companies like Microsoft say about improving security. They cannot do it without totally breaking backwards compatability with all their apps, and most third party apps. You can guess how likely that is to happen. Many of the “holes” are “features” that these applications depend on for normal operation.
The ability to broadcast windows messages to all top level windows is needed for orderly shutdown, for example. But it can also be used to send alt+f4 to the firewall code, shutting it down. The ability to transparently run mobile binary code, the basis of COM, DCOM, OLE, ActiveX and so on, is another huge port of entry for malware, but if you remove this, then most of the “features” of Office are also gone.
Security has to be designed in at the start. Microsoft never considered the implications of networking until it was too late for this.
No Subject Given
Why should software be different from any other product ? If you build a POS car and get injured, you hold the car company libel and will usually get damages awared $$$ of some kind. Software should be no different. And like automobiles, we have become severely dependent upon it, expect it to work, and often, it’s failure to work causes great harm. So I should have the right to hold the software company libel.
On the other hand, the software maker, should be allowed to provide themselves some type of protection such as a disclaimer that patches not applied with a reasonable amount of time relieve them of liability.
There would obviously need to be a meeting of the minds (or lawyers) to determine what’s reasonable, but software manufacturers should not be able to simply wash their hands of the matter if the software causes the end user some kind of monetary harm.
Would give the lawyers lots of work and the judges a chance to set precedance in lots of new cases.
Re: Software is (& isn't) different
Software isn’t governed by any legal rules different than any other product. Every product maker is able (in a legal sense, not necessarily in a practical, market-responsive sense) to limit the manufacturer’s liability as much as it wants. There are two caveats: first, public policy is invoked to prohibit any limitation on liability for personal injury (actual physical injury); and second, a contractual limitation is not binding on third parties.
The rationale for the first caveat is that we don’t want to put an explicit price on human injury and suffering, even though we do it implicitly all the time and are forced to do it explicitly at trial.
The rationale for the second caveat is a corollary of the underlying power to limit liability. If two parties contract for the delivery of an operating system, they can decide how to allocate the risk of economic losses from failure. For example, if you want Windows XP to be crashproof, you’re free to buy that, but at the price MS sets. The software industry as a whole has moved to a model where they’re not willing to be responsible for crashes, security problems, etc., AND the buyers of software are a fortiori okay with that since they are still buying the software.
A last example: think of these types of guarantees like the service plan they offer you on anything you get at Best Buy. You can either pay the money to get the protection or decide to bear that risk yourself. That decision, translated to a zillion different types of issues, is the heart of contract law and the reason why you sue the car manufacturer in an accident but you take your data losses in stride — you’ve already paid for the crash protection upfront by getting a cheaper price for the software.
Rick