Time to take responsibility?
Should vendors be made to compensate customers for loss of earnings stemming from vulnerabilities in their products?
As it stands, vendors are virtually immune from the financial and reputational damage end users can sustain from vulnerabilities in their software.
Nearly 5,000 new vulnerabilities were discovered in 2011, according to Symantec. And yet it is the end user who is often left carrying the can when a breach occurs, while the vendor whose poor coding may have been responsible gets off scot free.
Occasionally, a vendor has broken ranks to offer end users compensation in the event they suffer loss of earnings resulting from a data breach
Security appliance vendor GSEC1, for instance, used to offer customers indemnity cover against data loss of up to £125,000. Email security vendor MessageLabs has also offered refunds if any of its customers were infected.
But this is the exception rather than the rule and the litany of exculpatory clauses contained in software vendors' end-user license agreements (EULAs) mean they are arguably not worth the paper on which they are written.
The European Commission has for several years been making noises about shifting the burden towards vendors so that software licensing guarantees consumers the same basic rights as when they purchase a tangible product.
A laudable principle, but would it work in practice?
According to Rik Ferguson, director of security research and communications EMEA at Trend Micro, enforcing some kind of liability would seem an obvious step at first glance.
"Make the vendor legally responsible for the quality of their product and thus increase their focus on writing secure code, lower the number of vulnerabilities in published product and create an ecosystem where vendors routinely produce more robust software," Ferguson (pictured) wrote in a blog on the issue.
But he went on to argue that such a move would be unworkable, for two reasons.
Firstly, and most obviously, it would increase the cost of developing software. The impossibility of creating invulnerable code would oblige vendors to take out unlimited liability insurance and pass the cost on to the customer, he reasoned.
Ferguson continued: "A second, unintended consequence could be equally costly for the consumer. What happens when the vendor releases an updated product addressing identified flaws with an earlier version? Would cover cease for the now legacy versions, obliging consumers to commit to expensive, perhaps unnecessary upgrades to continue to benefit from their newfound legal protection?"
Impossible questions
Others harbour concerns that forcing vendors to hold the buck could stunt innovation by lengthening product development cycles and freezing out cash-strapped start-ups.
Consultant Ed Callacher said: "In principle, vendors should always be responsible for the products they produce and if they result in a tangible loss for an organisation, they need to take some responsibility for it.
"On the flip side, it would elongate the development cycle because it would force vendors to carry out more rigorous testing. And it will limit the number of start-ups we see in the channel as they will not have enough resource to carry out enough testing to ensure confidence in their products."
Callacher added: "Once a product is developed, you cannot guarantee that it is being deployed correctly. Will vendors need to have a range of approved installers in the same way as the gas central heating industry?"
David Rawle, chief technology officer at security VAR Security Partnerships, had similar reservations.
"As an IT security person, I think software should work and, if nothing else, it should be secure and that vendors should take their responsibilities more seriously when it comes to releasing secure software," he said.
"But if vendors could be held to account, everyone would be looking over their shoulder the whole time. It comes down to what you think is more important: innovation or security, and I think that is an impossible question.
"Microsoft Windows Server 2012 is about to be shipped and it would be great if we all knew it had no security vulnerabilities. But it is not practical to expect that with the complexity of modern software writing."
The European Commission is not alone in its zeal to bring the vendors to book, with industry commentator Bruce Schneier among those to argue it would cause the quality of software to improve.
Writing back in 2005, Schneier said allowing end users to sue software manufacturers for product defects would ensure they are paying the true economic cost for poor software.
"So when they are balancing the cost of making their software secure versus the cost of leaving their software insecure, there are more costs on the latter side," he said.
"This will provide an incentive for them to make their software more secure."
But this could be small beer when compared to the potential price hikes vendors would be forced to pass on. If Microsoft Windows 8 were guaranteed to have no flaws but cost £2,000, would anyone buy it?
In any case Ian Kilpatrick, chairman of Wick Hill, argued that change would have to be mandated at governmental level, which he argued was unlikely.
"The key player on this is the US and it would be commercial madness - and therefore against all the special interest groups - for the US to penalise one of its key exports," he said. "The EU does not have the clout on its own and would be pulled up in front of the World Trade Organisation if it tried."
Ferguson counselled that pressing on with new legislation would be fraught with difficulties.
"The vast majority of breaches are the result of the exploitation of vulnerabilities for which a patch has already been released by the vendor," he said.
"Even with physical goods such as a car, the vendor is not required to fix the (potentially life-endangering) fault, only to issue a recall and make the necessary changes. Is it so different, and if you do not respond to the recall notice, or install the patch, where do you think the liability will lie in those cases?"
So is there a happy medium?
Rawle called for the introduction of a testing scheme that would award vendors a star rating based on how well written and secure their software is.
The automotive industry's Euro NCAP scheme, which provides consumers with an independent assessment of safety performance, is a possible model.
"But we are fairly close to a happy medium already," Rawle said. "We have a system in place in the industry whereby hackers agree they will not make a flaw or vulnerability public until they have given the manufacturer time to fix it."