Granted, software vendors should strive to make products as secure as reasonably possible by considering common abuse cases. The industry is riddled with careless vendors that ship products without the slightest bit of security design, assessment, or disaster planning. But to require software vendors to make products that span all possible abuse cases would mean the end of usable and affordable softwaresomething businesses would be unwilling to accept.
Should the more sophisticated software vendorsthe EMCs, Microsofts, Oracles, and SAPs of the worldbe diligent? Yes, and they are. The biggest security challenge in the software industry today is the lack of accepted standards and guidelines for the proper construction and assessment of applications.
This isn't a defense of poor software security, but a legitimate excuse for vendors. Unlike other technology disciplines, the software industry has no organizations that create global standards for security. Although groups such as AppSIC, Mitre, and NIST have made some progress in certain areas, the fact remains that there are no accepted industry standards for measuring application security. There's also no consumer-advocacy group with clout, and until the software market catches up with other sectors with respect to legal and industry regulations, we can't expect vendors to monitor themselves for complete software safety. That wouldn't be practical, as there's no end game to testing efforts where acts of the imagination are concerned.
Vendors should employ third-party certification to give customers comfort that their application has been tested by an independent source; this would help the vendors sell more products while boosting consumer confidence. But even this is suspect, as one can't be sure exactly how the application was assessed, given the absence of standards for measurement.
The usability problem is another conundrum: To make a product more secure, you must impact its usability and/or speed. Imagine taking this to the ridiculous level of requiring software vendors to anticipate every way in which a creative and malicious user might exploit their software. The software would be released years behind schedule, cost 200 times more, and be extraordinarily cumbersome to use.
So if software vendors can't be held entirely accountable for failures of imagination, what can you do to protect your organization from some of the more sophisticated attacks?
The situation isn't hopeless. But until an industrywide standard is adopted, the most we should expect is for vendors to take reasonable precautions against foreseeable threats.
Ed Adams is president and CEO of Security Innovation, a Boston firm that provides risk-analysis, risk-mitigation, and consulting services to global organizations.
Do you think software vendors should be held more accountable for security vulnerabilities? Tell us.