Obama's security plan is a game changer

by David Worthington 06/01/2009 12:26 PM EST

I'm not encouraged with state of software security. A few big vendors have made security a requirement in the development life cycle, but most won't say whether they have or not. Security requires a big investment as well as executive buy-in; it is not trivial.

Microsoft is making a big effort to get Windows developer to follows its Security Development Lifecycle (it even created a Visual Studio template), but buy-in has been limited to a few large customers. Likewise, efforts to teach security at universities have fallen flat. An NSA program that provided incentives, including scholarships and grants for students, achieved limited success against university culture.

Aside from greater security for infrastructure (firewalls, anti-virus programs, patching), I've seen little progress outside of a handful of companies. Progress has come too slowly, and infrastructure and people's personally identifiable information are at risk. The only thing that has been helpful to secure PII is a combination of bad press and government statutes.

That is why I thought that a bill proposed in the UK House of Lords in 2007 a good idea: It suggested that a liability framework be established to prevent software makers from dumping risks onto customers. There has been no economic incentive to do security right.

The Chevrolet Corvair was recalled after consumer advocates claimed that it was unsafe at any speed; there was a clear commercial incentive for General Motors to manufacture safe products. Liability might be the right kind of medicine for the software industry.

Companies that follow SDL-like processes would not be held negligent. Making software secure is difficult work, and no one knows what attack vectors will appear in the future. However, companies that do not invest in security should be held liable.

President Obama's decision to make cyber security a national priority has changed my mind for the time being. I'm willing to withhold judgment to allow his plan to work. Public/private partnerships have produced excellent results in the past, and the industry might do what is necessary to forestall regulation. Companies should not forget that this is a national priority.

The stakes are high and my patience isn’t infinite. I'd advocate regulation if progress is not significant by the President's second term (or at the start of his successor's term). Remaking how software is made is a huge task, but then again so was the Apollo program.

Currently rated 4.5 by 2 people

Currently 4.5/5 Stars.
1
2
3
4
5

Share this link: http://www.sdtimes.com/blog/1442

Tags: microsoft, security, barack obama

Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
02/09/2012 02:16 PM EST

Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
02/07/2012 11:57 AM EST

RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
02/04/2012 01:57 PM EST

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
02/03/2012 12:17 PM EST

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.
02/02/2012 08:26 AM EST

Ryan Dahl steps down
Ryan Dahl, creator of Node.js, steps back from his position as gatekeeper for the project.
02/01/2012 04:58 PM EST