From: Patrik Sternudd [mailto:patrik.sternudd@copper.se]
Sent: Wednesday, 29 September, 2004 10:59
Unfortunately, Michael is quite right. One could wish it were
not so, but that won't change the fact.
Thanks. I also wish that economics weren't an issue for providing secure
commercial software - our jobs would be easier if it were only (!) a matter
of ideology - but, as security professionals or software professionals or
just people interested in seeing more secure software, we don't do ourselves
any favors by ignoring obstacles just because they're unpalatable. And
software economics is definitely an obstacle.
Well. If you ask me, many organisations does not want security.
It's expensive. Not only to purchase, but also to maintain.
True. This isn't always a simple case of "management too dumb to pay for
security", either. Consider a CIO who says, "our formal security analysis
indicates that your application represents only 2% of our total exposure.
We've estimated and budgeted $X for recovering from security failure." That
means that improved security that raises the price of your product more than
$0.02X is financially unjustified for that customer.
And that's not an implausible situation, if your product will be running in
an environment that's chock-full of other vulnerabilities. (See recent
story in RISKS about FAA-mandated digital radio system for airplane-control
tower comms which runs on unpatched Windows 98 boxes. System fails if not
manually rebooted every 30 days or so. The reliability of the application
is pretty far down on *that* attack tree.)
The CIO answers to the CEO, who answers to the board, who answer to the
shareholders. And the shareholders care about the bottom line. They're not
going to buy any ideological argument about the inherent superiority of
secure software, or of the good for the data-processing community. If they
believe that it's cheaper in a particular case to spend the money on
disaster recovery rather than disaster prevention, that's what they'll
choose. I bet there isn't a single publically-traded corporation in the
world which has a voting majority of shareholders who understand and care
about software security.
If we want companies to use more secure software, *that* is the problem we
need to solve. There are a number of ways of doing that. Make security
cheaper, by using better development practices. Challenge the estimates of
the costs of disaster recovery, to argue that security is the cheaper
option. Muster public opinion against security breaches, so that they gain
an added PR cost. Expose flaws in insecure software, to increase the
frequency (and so total cost) of maintenance efforts (and, unfortunately,
the frequency and total cost of disaster recovery). And so forth.
Arguing that security is The Right Thing To Do, on the other hand, is a
swell marching cry but a lousy marketing technique.
--
Michael Wojcik
Principal Software Systems Developer, Micro Focus
