The actual cost of insecure software

Legislation is often helpless in terms of insecure software. The whole process of exploiting vulnerabilities in the software can be carried very far from the place where the vulnerable software resides, even from another continent. The only thing left to the law keepers is to expect a mistake in the actions of hackers, but it is often difficult to find a legal basis for prosecution, and fines are disproportionately small in regard to opportunities of exploiting weaknesses in software.

On the other hand, software developers and manufacturers do not consider themselves responsible for weaknesses in their software. Licensing rules are usually formulated in the way that all of the responsibilities for potential damage are left to the users. The user is obliged to constantly check for patches and install them on his or her system. He or she must also use all other means of protection such as antivirus software or firewalls in order to stop the exploitation of software vulnerabilities in the software that was bought and which must be used as it is.

The actual price of the software is not the purchase price. The actual price of software is measured by its security and reliability. If hacker uses vulnerability in the software which software manufacturer has not yet eliminated, the cost of damage is many times bigger than the purchasing price of that software. If it happens in the financial systems the damage is measured in money (and it is possible in large amounts of money), if it happens in some other critical systems, such as nuclear power plants, hospitals and national security systems, human lives might be endangered which makes incalculable damage .
What is an effective solution for insecure software (which is the rule rather than exception in the software market)? Certainly it is not frequent issues of patches. It's just a "fire fighting" with the possibility that a large number of vulnerabilities remain undiscovered by the software manufacturers. The only effective solution is a strict quality control and thorough testing of software security weaknesses before its release on the software market. Of course, these activities require major changes because they will slow down the production of software which is not in the market interest of manufacturers or users of the software.

What is needed is a thorough change in the philosophy of software production that will put to the front the security and welfare of users, and not only rapid release of new versions of software with opening new weaknesses. In the legislation would help more stringent penalties for software manufacturers in the case when vulnerabilities in their software cause substantial damage to the user. For such a big change both users and manufacturers must be knowledgeable enough to know the real cost of insecure software which is currently difficult to determine because everybody is reluctant to provide such information. Only knowledge of the actual cost of insecure software and a conscious decision to practice secure production of software will fundamentally change and improve the security of the systems and users which use the software.

Suzana Stojaković – Čelustka, PhD is an expert in the field of information security. Some of her related duties were: CEO of CARNet CERT (Croatian Academic and Research Network Computer Emergency Response Team) in 1997., CEO of CARNet Department for security of computer networks in 1998., assistant for information security related jobs in Office for internetization of Croatian Government – 2002. - 2004., senior advisor for information security in Central State Office for e-Croatia, including development of National program of information security in the Republic of Croatia - 2004. – 2006., CISO (Chief Information Security Officer) in Croatian Bank for Reconstruction and Development (current position).

She is also a lecturer on information security topics at various occasions and editor at Croatian Information Security Portal. She received her BSEE and M.Sc. at Faculty of Electrotechnical Engineering, University of Zagreb, Croatia, and Ph.D at Faculty of Electrical Engineering, Czech Technical University of Prague, Czech Republic. Her Ph.D thesis was on Building Secure Information Systems. Her other interests include research in: computer architecture, distributed systems (networking), algorithmics, artificial intelligence and artificial life.

She is an active member of IFIP W.G. 9.6/11.7 (Working Group 9.6/11.7 - Information Technology Mis-Use and the Law, IFIP Technical Committee 9 - Relationship between Computers and Society) and IFIP W.G. 16.5 (Working Group 16.5 – Social and Ethical Issues in Entertainment Computing – IFIP Specialist Group on Entertainment Computing.)

Comments (0)
Only registered users can write comments!