Q&A: Want better security apps? Make vendors accountable, Geekonomics author says

Computerworld - Badly written, insecure software products are hurting people and costing businesses and individuals billions of dollars every year, says David Rice, in his new book Geekonomics: The Real Cost of Insecure Software (Addison-Wesley Professional, 2007). Yet far from being penalized for it, software vendors have been rewarded with greater market share and profits because of the lack of accountability in the software industry, he says. In his book, Rice talks about the need for change in the software industry and how to bring about that change. Rice, president of the Monterey Group, a security consultancy in Monterey, Calif., is also an adjunct professor at James Madison University's Security Graduate Curriculum and has spent more than a decade working for the military on national security issues. In an interview, he talked about his book.

Why did you write this book? I wanted to tell a story of software that everybody can understand. One of the ways of doing that is not to talk about software from a security perspective but from a technology perspective. What are the incentives for manufacturers, what are the incentives for consumers, and what are the incentives for hackers?

You say that software products in general have had largely detectable and preventable security defects for the beginning. Why haven't vendors made their products more secure? In the software market, we have this problem of asymmetric information, which means the buyer doesn't always know what they are getting. Basically, they cannot distinguish between high- and low-quality software. They have no idea if what they are buying is nice quality or if what they are buying has been cobbled together. There is a pretty general theme going around that software is in a bad state. But I can't use that to say to Microsoft or to another vendor that "I am going to only pay you 10% of what you are asking for."

This isn't to vilify software manufacturers. Software manufacturers are doing what any manufacturer would try to do. It is not like they are deliberately trying to make crappy software or to screw people over. They are just trying to do what they need to do to maximize their own profits. They really don't have any meaningful incentive to look out for you. So you can have Trustworthy Computing, or you can have a certain vendor say they are "unbreakable." But when they are wrong, they just kind of shrug their shoulders. There's no punishment for being wrong.

Geekonomics author David Rice

How do you get software vendors to write more secure software? From a high level, what we need to do is to make it more expensive for people to produce low-quality software. Markets give us what we want, not what we need. So if we don't want security, we are not going to get it. I would argue that most of us do, indeed, want security in our software. We do want safety. We just can't distinguish it when it isn't there. We kind of know it's not there, but we don't know how much isn't there. So it is very difficult for us to price it.