Time to take responsibility?

Should vendors be made to compensate customers for loss of earnings stemming from vulnerabilities in their products?

By Doug Woodburn

More from this author

08 Oct 2012

Comments

  • Digg
  • Tweet
CRN cover 8 October

As it stands, vendors are virtually immune from the financial and reputational damage end users can sustain from vulnerabilities in their software.

Nearly 5,000 new vulnerabilities were discovered in 2011, according to Symantec. And yet it is the end user who is often left carrying the can when a breach occurs, while the vendor whose poor coding may have been responsible gets off scot free.

Occasionally, a vendor has broken ranks to offer end users compensation in the event they suffer loss of earnings resulting from a data breach

Security appliance vendor GSEC1, for instance, used to offer customers indemnity cover against data loss of up to £125,000. Email security vendor MessageLabs has also offered refunds if any of its customers were infected.

But this is the exception rather than the rule and the litany of exculpatory clauses contained in software vendors' end-user license agreements (EULAs) mean they are arguably not worth the paper on which they are written.

The European Commission has for several years been making noises about shifting the burden towards vendors so that software licensing guarantees consumers the same basic rights as when they purchase a tangible product.

A laudable principle, but would it work in practice?

According to Rik Ferguson, director of security research and commTrend Micro director of security research Rik Fergusonunications EMEA at Trend Micro, enforcing some kind of liability would seem an obvious step at first glance.

"Make the vendor legally responsible for the quality of their product and thus increase their focus on writing secure code, lower the number of vulnerabilities in published product and create an ecosystem where vendors routinely produce more robust software," Ferguson (pictured) wrote in a blog on the issue.

But he went on to argue that such a move would be unworkable, for two reasons.

Firstly, and most obviously, it would increase the cost of developing software. The impossibility of creating invulnerable code would oblige vendors to take out unlimited liability insurance and pass the cost on to the customer, he reasoned.

Ferguson continued: "A second, unintended consequence could be equally costly for the consumer. What happens when the vendor releases an updated product addressing identified flaws with an earlier version? Would cover cease for the now legacy versions, obli­ging consumers to commit to expensive, perhaps unnecessary up­grades to continue to benefit from their newfound legal protection?"

Impossible questions

Others harbour concerns that forcing vendors to hold the buck could stunt innovation by lengthening product development cycles and freezing out cash-strapped start-ups.

Consultant Ed Callacher said: "In principle, vendors should always be responsible for the products they produce and if they result in a tangible loss for an organisation, they need to take some responsibility for it.

"On the flip side, it would elongate the development cycle because it would force vendors to carry out more rigorous testing. And it will limit the number of start-ups we see in the channel as they will not have enough resource to carry out enough testing to ensure confidence in their products."

Callacher added: "Once a product is developed, you cannot guarantee that it is being deployed correctly. Will vendors need to have a range of approved installers in the same way as the gas central heating industry?"

David Rawle, chief technology officer at security VAR Security Partnerships, had similar reservations.

"As an IT security person, I think software should work and, if nothing else, it should be secure and that vendors should take their responsibilities more seriously when it comes to releasing secure software," he said.

"But if vendors could be held to abug malware virus security threat breachccount, everyone would be looking over their shoulder the whole time. It comes down to what you think is more important: innovation or security, and I think that is an impossible question.

"Microsoft Windows Server 2012 is about to be shipped and it would be great if we all knew it had no security vulnerabilities. But it is not practical to expect that with the complexity of modern software writing."

The European Commission is not alone in its zeal to bring the vendors to book, with industry commentator Bruce Schneier among those to argue it would cause the quality of software to improve.

Writing back in 2005, Schneier said allowing end users to sue software manufacturers for product defects would ensure they are paying the true economic cost for poor software.

"So when they are balancing the cost of making their software secure versus the cost of leaving their software insecure, there are more costs on the latter side," he said.

"This will provide an incentive for them to make their software more secure."

But this could be small beer when compared to the potential price hikes vendors would be forced to pass on. If Microsoft Windows 8 were guaranteed to have no flaws but cost £2,000, would anyone buy it?

In any case Ian Kilpatrick, chairman of Wick Hill, argued that change would have to be mandated at governmental level, which he argued was unlikely.

"The key player on this is the US and it would be commercial madness - and there­fore against all the special interest groups - for the US to penalise one of its key exports," he said. "The EU does not have the clout on its own and would be pulled up in front of the World Trade Organisation if it tried."

Ferguson counselled that pressing on with new legislation would be fraught with difficulties.

"The vast majority of breaches are the result of the exploitation of vulnerabilities for which a patch has already been released by the vendor," he said.

"Even with physical goods such as a car, the vendor is not required to fix the (potentially life-endangering) fault, only to issue a recall and make the necessary changes. Is it so different, and if you do not respond to the recall notice, or install the patch, where do you think the liability will lie in those cases?"

So is there a happy medium?

Rawle called for the introduction of a testing scheme that Aston Martin DB5 as used by James Bondwould award vendors a star rating based on how well written and secure their software is.

The automotive industry's Euro NCAP scheme, which provides consumers with an independent assessment of safety performance, is a possible model.

"But we are fairly close to a happy medium already," Rawle said. "We have a system in place in the industry whereby hackers agree they will not make a flaw or vulnerability public until they have given the manufacturer time to fix it."

blog comments powered by Disqus

At $1,500, would you contemplate buying Google Glass for personal use?

5%

10%

26%

59%

Updating your subscription status Loading

Popular Threads

Powered by Disqus
Logo for CRN Top VARs 2013

CRN Top VARs - resellers review an eventful year

We talk to an assortment of resellers about margins, services, economic recovery and the fallout from 2e2's collapse

Office 365 logo

PROMOTIONAL VIDEO - Earn recurring revenue with Office 365 Open and Tech Data

Hear about the range of opportunities and support available for resellers

CRN Channel Conference - Mobility

ertc-2011

Join CRN on 8 May in central London for the first of two channel conferences this year

Date: Thu 08 May 2014

CRN Fight Night 2014

man-boxing

The channel's only white-collar boxing event is back on Thursday 22 May 2014. Could YOU be a part of it?

Date: Thu 22 May 2014

fragment image

Only 23% of organisations have a comprehensive security policy

Read this survey on application security to focus on understanding what works and why

fragment image

IT managed services: a beginners guide

Successful MSPs are reliant on a solid business strategy and service delivery model, as well what technology meets their needs.


The Editors dairy blog

The editor's diary

Alanis Morissette missed an irony

And it is all about IT vendors

Dave the dealer blog

Dave the dealer

Shady deal

Smartglasses, printed food, and the complexities of copyright law: let Dave guide you through another confusing week in tech

View from the channel

Views from the Channel

Could Microsoft do with more warmth and less hot air on XP?

CRN's Sam Trendall asks if Microsoft's sombre XP migration campaign should take some lessons in persuasion from Aesop's fables

To send to more than one email address, simply separate each address with a comma.