Businesses Want Software Companies To Take Responsibility For Security Holes
from the face-up-to-what-they've-done-wrong dept
The debate has gone on forever about just how liable software companies should be for security holes that are later found in their software products. Both sides make compelling points. Those who are constantly patching and dealing with the security holes say that the software makers should be held responsible for their poor product design. Software developers point out that designing without any bugs or security holes is simply impossible - and making the company liable for any problems would destroy most software companies (especially small, independent developers). Either way, companies are sick of taking the blame for not patching security holes and are saying that software developers, even if they don't accept liability for vulnerabilities, at least need to accept some responsibility for making the situation better. The Business Roundtable, a trade group of CEOs, is calling on software companies to do a better job building in security, while also making it easier to update and secure systems when new vulnerabilities are found. They're also calling on the companies to continue to support older versions of their software after newer versions are on the market. They admit that companies do need to be vigilant about protecting their IT - but they want more help from the software developers. It seems like this is an obvious opportunity for managed security vendors to step up and offer solutions in the middle. The security problems are not going to go away - if anything, they're going to get worse. What needs to be done, however, is to look for a better solution to forcing an in-house IT staff to be ever-vigilant about patching every single application every time a new vulnerability is found.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Liability a good thing
At least, not unless I told you it was safe do that.
But the idea that all software companies can put out these EULAs that disclaim all liability is evil. The unfortunate UCITA that gives these the force of law is utter evil. I like Ron Burk's idea of a virus that automatically clicks any button that says "I agree" so consumers could disclaim ever having seen the EULA at all.
In other words, if I make millions of dollars dependent on the working of say, Microsoft Access, don't do backups, and then try to recover those millions, that shouldn't fly -- unless they told me it was safe (and they do). But I should be able to recover something "at all" in the event the loss was due to their faulty code. It would motivate them to make the basic stuff better instead of constantly adding "features".
Sadly, it doesn't matter what big companies like Microsoft say about improving security. They cannot do it without totally breaking backwards compatability with all their apps, and most third party apps. You can guess how likely that is to happen. Many of the "holes" are "features" that these applications depend on for normal operation.
The ability to broadcast windows messages to all top level windows is needed for orderly shutdown, for example. But it can also be used to send alt+f4 to the firewall code, shutting it down. The ability to transparently run mobile binary code, the basis of COM, DCOM, OLE, ActiveX and so on, is another huge port of entry for malware, but if you remove this, then most of the "features" of Office are also gone.
Security has to be designed in at the start. Microsoft never considered the implications of networking until it was too late for this.
[ link to this | view in chronology ]
No Subject Given
On the other hand, the software maker, should be allowed to provide themselves some type of protection such as a disclaimer that patches not applied with a reasonable amount of time relieve them of liability.
There would obviously need to be a meeting of the minds (or lawyers) to determine what's reasonable, but software manufacturers should not be able to simply wash their hands of the matter if the software causes the end user some kind of monetary harm.
Would give the lawyers lots of work and the judges a chance to set precedance in lots of new cases.
[ link to this | view in chronology ]
Re: Software is (& isn't) different
The rationale for the first caveat is that we don't want to put an explicit price on human injury and suffering, even though we do it implicitly all the time and are forced to do it explicitly at trial.
The rationale for the second caveat is a corollary of the underlying power to limit liability. If two parties contract for the delivery of an operating system, they can decide how to allocate the risk of economic losses from failure. For example, if you want Windows XP to be crashproof, you're free to buy that, but at the price MS sets. The software industry as a whole has moved to a model where they're not willing to be responsible for crashes, security problems, etc., AND the buyers of software are a fortiori okay with that since they are still buying the software.
A last example: think of these types of guarantees like the service plan they offer you on anything you get at Best Buy. You can either pay the money to get the protection or decide to bear that risk yourself. That decision, translated to a zillion different types of issues, is the heart of contract law and the reason why you sue the car manufacturer in an accident but you take your data losses in stride -- you've already paid for the crash protection upfront by getting a cheaper price for the software.
Rick
[ link to this | view in chronology ]