Time to take responsibility?

Should vendors be made to compensate customers for loss of earnings stemming from vulnerabilities in their products?

By Doug Woodburn

More from this author

08 Oct 2012

Comments

  • Digg
  • Tweet
CRN cover 8 October

As it stands, vendors are virtually immune from the financial and reputational damage end users can sustain from vulnerabilities in their software.

Nearly 5,000 new vulnerabilities were discovered in 2011, according to Symantec. And yet it is the end user who is often left carrying the can when a breach occurs, while the vendor whose poor coding may have been responsible gets off scot free.

Occasionally, a vendor has broken ranks to offer end users compensation in the event they suffer loss of earnings resulting from a data breach

Security appliance vendor GSEC1, for instance, used to offer customers indemnity cover against data loss of up to £125,000. Email security vendor MessageLabs has also offered refunds if any of its customers were infected.

But this is the exception rather than the rule and the litany of exculpatory clauses contained in software vendors' end-user license agreements (EULAs) mean they are arguably not worth the paper on which they are written.

The European Commission has for several years been making noises about shifting the burden towards vendors so that software licensing guarantees consumers the same basic rights as when they purchase a tangible product.

A laudable principle, but would it work in practice?

According to Rik Ferguson, director of security research and commTrend Micro director of security research Rik Fergusonunications EMEA at Trend Micro, enforcing some kind of liability would seem an obvious step at first glance.

"Make the vendor legally responsible for the quality of their product and thus increase their focus on writing secure code, lower the number of vulnerabilities in published product and create an ecosystem where vendors routinely produce more robust software," Ferguson (pictured) wrote in a blog on the issue.

But he went on to argue that such a move would be unworkable, for two reasons.

Firstly, and most obviously, it would increase the cost of developing software. The impossibility of creating invulnerable code would oblige vendors to take out unlimited liability insurance and pass the cost on to the customer, he reasoned.

Ferguson continued: "A second, unintended consequence could be equally costly for the consumer. What happens when the vendor releases an updated product addressing identified flaws with an earlier version? Would cover cease for the now legacy versions, obli­ging consumers to commit to expensive, perhaps unnecessary up­grades to continue to benefit from their newfound legal protection?"

Impossible questions

Others harbour concerns that forcing vendors to hold the buck could stunt innovation by lengthening product development cycles and freezing out cash-strapped start-ups.

Consultant Ed Callacher said: "In principle, vendors should always be responsible for the products they produce and if they result in a tangible loss for an organisation, they need to take some responsibility for it.

"On the flip side, it would elongate the development cycle because it would force vendors to carry out more rigorous testing. And it will limit the number of start-ups we see in the channel as they will not have enough resource to carry out enough testing to ensure confidence in their products."

Callacher added: "Once a product is developed, you cannot guarantee that it is being deployed correctly. Will vendors need to have a range of approved installers in the same way as the gas central heating industry?"

David Rawle, chief technology officer at security VAR Security Partnerships, had similar reservations.

"As an IT security person, I think software should work and, if nothing else, it should be secure and that vendors should take their responsibilities more seriously when it comes to releasing secure software," he said.

"But if vendors could be held to abug malware virus security threat breachccount, everyone would be looking over their shoulder the whole time. It comes down to what you think is more important: innovation or security, and I think that is an impossible question.

"Microsoft Windows Server 2012 is about to be shipped and it would be great if we all knew it had no security vulnerabilities. But it is not practical to expect that with the complexity of modern software writing."

The European Commission is not alone in its zeal to bring the vendors to book, with industry commentator Bruce Schneier among those to argue it would cause the quality of software to improve.

Writing back in 2005, Schneier said allowing end users to sue software manufacturers for product defects would ensure they are paying the true economic cost for poor software.

"So when they are balancing the cost of making their software secure versus the cost of leaving their software insecure, there are more costs on the latter side," he said.

"This will provide an incentive for them to make their software more secure."

But this could be small beer when compared to the potential price hikes vendors would be forced to pass on. If Microsoft Windows 8 were guaranteed to have no flaws but cost £2,000, would anyone buy it?

In any case Ian Kilpatrick, chairman of Wick Hill, argued that change would have to be mandated at governmental level, which he argued was unlikely.

"The key player on this is the US and it would be commercial madness - and there­fore against all the special interest groups - for the US to penalise one of its key exports," he said. "The EU does not have the clout on its own and would be pulled up in front of the World Trade Organisation if it tried."

Ferguson counselled that pressing on with new legislation would be fraught with difficulties.

"The vast majority of breaches are the result of the exploitation of vulnerabilities for which a patch has already been released by the vendor," he said.

"Even with physical goods such as a car, the vendor is not required to fix the (potentially life-endangering) fault, only to issue a recall and make the necessary changes. Is it so different, and if you do not respond to the recall notice, or install the patch, where do you think the liability will lie in those cases?"

So is there a happy medium?

Rawle called for the introduction of a testing scheme that Aston Martin DB5 as used by James Bondwould award vendors a star rating based on how well written and secure their software is.

The automotive industry's Euro NCAP scheme, which provides consumers with an independent assessment of safety performance, is a possible model.

"But we are fairly close to a happy medium already," Rawle said. "We have a system in place in the industry whereby hackers agree they will not make a flaw or vulnerability public until they have given the manufacturer time to fix it."

blog comments powered by Disqus

Is the tech industry in danger of creating another bubble?

64%

28%

4%

4%

Updating your subscription status Loading

Popular Threads

Powered by Disqus
Satya Nadella is expected to be the next CEO of Microsoft

Satya Nadella woos WPC crowd

New chief executive lets partners in on how his mobile-first, cloud-first strategy impacts the channel

Logo for CRN Top VARs 2013

CRN Top VARs - resellers review an eventful year

We talk to an assortment of resellers about margins, services, economic recovery and the fallout from 2e2's collapse

CRN Darts Night 2014

darts

Save the date - Thursday 11 September.

Date: Thu 11 Sep 2014

CRN Channel Conference - Managed Services

conference5rb

Our popular MSP conference is back for its second year and places are filling up fast

Date: Thu 16 Oct 2014

fragment image

Don’t let your customers suffer from heat exhaustion

IT virtualisation - the engine behind cloud computing - can have significant consequences on the datacentre physical infrastructure (DCPI)

fragment image

Advanced evasion techniques for dummies

Given the changing threat landscape - with growing security threats, cybercrime and compliancen regulations - we need to rethink traditional security models


The Editors dairy blog

The editor's diary

What a rip-off!

Which? investigation reveals we do pay far too much for IT products over here

Dave the dealer blog

Dave the dealer

Washington Redface

Dave brings you the hot goss from Microsoft’s partner summit. Also: data-entry Romeos, motivational masterminds, and menial robots

View from the channel

Views from the Channel

Softcat's a channel success story, but where next?

Would IPO be right long-term option for VAR as it nears £500m sales barrier, asks CRN's Doug Woodburn?

To send to more than one email address, simply separate each address with a comma.