Resources Blog User Beware: Why People Everywhere Are Starting to Care ...

User Beware: Why People Everywhere Are Starting to Care About Open Source Governance

Build vs Buy

In today's world, software innovation is the strategic weapon of choice by which companies compete and win on a global playing field.  Whether to "build" or "buy" is a critical question that companies are constantly evaluating.

The primary advantage of building custom software is that it gives companies the best chance to disrupt existing markets and out-innovate competitors.  The biggest downside, however, is execution risk. Simply stated, continuously delivering custom software innovation is really hard.  Just because Uber, Netflix, AirBnB, and Tesla make it look easy -- doesn't mean that it is.

Therefore, more often than not, organizations choose instead to buy (or subscribe to) "packaged apps" offered by independent software vendors.  The advantages of this approach are reduced up-front investment and faster time to market.  The biggest downside, however, is a completely different type of risk; one that might surprise you.

The Joke is On You

If you've been in the software business for more than a few years, you've probably heard the joke:  "Drug dealers and software vendors are the only two industries that refer to customers as users."

Although amusing on the surface, the joke is actually very frightening for one simple reason: because users of illegal drugs, just like users of software, have little recourse to protect themselves from vendors of defective products.  Simply stated, Caveat Emptor (buyer beware) is the mantra upon which the $180 billion U.S. software industry has been built.

Take It, Or Leave It

Today, before buying software from a vendor, everyone has the opportunity to first examine the vendor's End User License Agreement (EULA).  When you do this -- no matter which vendor it is -- you will find a collection of one-sided contractual terms that enable the vendor to explicitly disclaim liability and significantly limit warranty coverage.  If you don't like the terms of the agreement, then you have exactly to choices -- take it, or leave it.

Software vendors use these boilerplate EULAs to transfer all of the risk associated with their products onto users.  They get away with this behavior because:

  • Courts have treated these EULAs as enforceable contracts since the mid 1990s which enables vendors to ship buggy software with impunity because no one can hold them liable for mistakes or vulnerabilites.
  • People have an insatiable appetite for sexy new features and they are willing to tolerate defective software because "good enough" is all that really matters.

This is the very definition of Caveat Emptor.    

How did we get here?

Who's to blame?

Bruce Schneier, puts it simply: “there are no real consequences for having bad security.” The result is a marketplace crammed with shoddy code.

Catalysts for Change?

Some beliueve that a large-scale attack (Pearl Harbor) that exploits critical security holes in our industrial control systems—is the only thing that will create the momentum needed to trigger real chnage in the form of (a) regulation (b) legislation (c) litigation (d) private investment in quality code.

Suboptimal code has been recognized as a problem for decades and software liability has been often debated between two forces diametrcially opposed on the issue.

At one end of the specturm you have Oracle, _____, and _______.  These titans of the software industry actively defend the status quo and argue that holding software providers liable for their code would raise costs, stifle innovation, and be bad for the borader economy.

At the other end you have a combination of associations, regulators, and academics offering a variety of solutions for making software vendors at least partially liable for the costs of defective products.

Law professors Michael Rustad and Thomas Koenig, state that the current paradigm is one in which “the software industry tends to blame everything on the sophistication of third party criminals and on careless users who fail to implement adequate security, rather than acknowledging the obvious risks created by their own lack of adequate testing and flawed software design.”

A more reasonable and balanced system?

The software industry should not be categorically exempted from the safety standards imposed on other industries.

Although it seems impossible to some, making software vendors accountable for creating safe and secure products is similar to the effort that was undertaken in the 1960 when Ralph Nader led a consumer protection revolution that made auotmobile manufacturers responsible for improving vehicle safety.

Fairly allocating the costs of software deficiencies between software vendors and users will require examining some of our deep-seated beliefs about the very nature of software security, as well as questioning our addiction to functionality over quality. Recalibrating the legal system that has grown out of those beliefs and dependencies will, in turn, require concerted action from Congress and the courts.

Most security breaches happen as a result of software vulnerabilities. So the real question is this: when things get exposed, how will we determine who must pay and who carries the risks associated with bad software?

Less Words.  More action.

1) UL has their Cyber Assurance Program (CAP) and it's 3 related standards - which include a requirement for a SW Bill of Materials.

2) The FS-ISAC 3rd Party document asking for the SW Bill of Materials with provided XML Schema in it.

3) SHORTLY our HHS Task Force report will call for SW Bill of Material (mid-to-late April)

4) I'm hearing a Senate DRAFT bill for IoT is imminent - I think they hope to insert before Easter break  

Dan Geer, chief information security officer at an arm of the Central Intelligence Agency in the US, is one who has called for legal accountability to be pushed towards the designers. He works at the venture capital wing of the Agency, In-Q-Tel.  Rolf von Ressing of Isaca, a global association of IT security professionals, said: 'Software vendors bring these products into the world with all their vulnerabilities, but it’s the companies that buy them that are left dealing with the consequences.' This debate could have very significant effects on the development of the software industry and the way that law firms and other buyers of their services protect themselves.

Written by Admin