| FYI, there's a provocative article over on Dark Reading today.
| http://www.darkreading.com/document.asp?doc_id=140184
|
| The article quotes David Rice, who has a book out called
| "Geekconomics: The Real Cost of Insecure Software". In it, he tried
| to quantify how much insecure software costs the public and, more
| controversially, proposes a "vulnerability tax" on software
| developers. He believes such a tax would result in more secure
| software.
|
| IMHO, if all developers paid the tax, then I can't see it resulting in
| anything other than more expensive software... Perhaps I'm just
| missing something, though.
The answer to this is right in the article:
Just as a traditional manufacturer would pay less
tax by becoming "greener," the software manufacturer
would pay less tax for producing "cleaner" code, he
says. "Those software manufacturers would pay less
tax pass on less expense to the consumer, just as a
regular manufacturing company would pass on less
carbon tax to their customers," he says.
He does go on to say:
It's not clear how the software quality would be
measured ... but the idea would be for a software
maker to get tax breaks for writing code with fewer
security vulnerabilities.
And the consumer ideally would pay less for more
secure software because tax penalties wouldn't get
passed on, he says.
Rice says this taxation model is just one of many
possible solutions, and would likely work in concert
with torte law or tighter governmental regulations....
So he's not completely naive, though the history of security metrics and
standards - which tend to produce code that satisfies the standards
without being any more secure - should certainly give on pause.
One could, I suppose, give rebates based on actual field experience:
Look at the number of security problems reported per year over a two-
year period and give rebates to sellers who have low rates. There are
many problems with this, of course - not the least that it puts new
developers in a tough position, since they effectively have to lend
the money for the tax for a couple of years in the hopes that they'll
get rebates later when their code is proven to be good.
-- Jerry
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
