It’s always refreshing to see vendors talking about real issues on their product managers’ and evangelists’ blogs without trying to spin a press release out of every corporate gurgle and fart that percolates out of the company message set.
So it was that I came to read source code quality specialist Coverity’s internal journal this week and came across the thoughts of product manager Jane Goh.
Goh recounts a recent visit to an RSA security conference session on “software liability” where she got to listen to revered “security gurus” (The Economist’s words – not mine) Bruce Schneier and Marcus Ranum talk about how we should achieve better software quality in the future.
The question is, do we clamp down on software vendors via regulatory action (in the form of software liability) or do we let market demand settle the scores?
After all, now that we live in the American-inspired “litigious society” where people file lawsuits for their coffee being too hot, surely we should be able to hold software vendors to task more openly.
Goh says that Schneier came down on the side of software liability:
“[He took] the stand that software vendors should be liable for the malfunction of their products just as manufacturers of physical products such as cars, medical devices and chainsaws are held liable. Schneier argued that introducing product liability for software would dramatically improve the quality of software.”
“Currently, software vendors are only concerned with insecure software costs that immediately impact them, not with the total costs of insecure software – for instance, the cost in millions of dollars from a data breach to the companies that use the software and to the end users who have lost personal and financial information. So dealing with externality costs here would improve things by moving costs to where it is most effectively spent, i.e. fixing the risk rather than just mitigating it.”
Goh then details the fact that the other speaker Marcus Ranum took the side of market demand and said that if consumers continue to choose to settle for ‘free and mediocre over good and expensive’, then so be it.
“However, if corporations and consumers boycotted buggy software products by refusing to purchase them, this will put financial pressure on the software industry to change how security is viewed. He trotted out a car analogy saying that Japanese car manufacturers, by producing better quality cars, essentially destroyed the Detroit car industry. He argued that introducing more regulation was not the answer, as it would stifle innovation by giving unfair competitive advantage to large software companies who can afford the costs to ensure better software quality.”
Interesting stuff indeed — this blog was nearly titled: Excuse me; can I have a refund for my software please?
Will the market shift or stagnate from this point onward and do we need to fuel this debate with more fervour?