On Nov 29, 2007 3:47 PM, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote: > The article quotes David Rice, who has a book out called > "Geekconomics: The Real Cost of Insecure Software". In it, he tried > to quantify how much insecure software costs the public and, more > controversially, proposes a "vulnerability tax" on software > developers. He believes such a tax would result in more secure > software.
I read Geekonomics a few weeks ago, when it became available on SafariBooksOnline. I have mixed feelings about the author, the book, and the subject matter. His discussions in the book are great - especially in the first four chapters. However, I find the solutions and conclusions that he comes to in the last chapter (including all this "tax" business) to leave a lot to be desired. My primary reasons for disliking this "vulnerability tax" are that it doesn't take into account both web applications and Software-as-a-Service. Not surprisingly, the book fails to cover both of these topics. I'm not sure if David Rice does this on purpose, because he does touch on open-source software issues (dedicating an entire chapter to it, and sprinkling the topic through the book). BTW - I think David Rice brought in the idea of a "vulnerability tax" because it was the first analogy that popped into his head from the research and discussion brought about in his book. On page 157 (Chapter 4), he discusses the incentives put forward by the ISAlliance in the form of Cyber Insurance Discounts - http://www.isalliance.org/content/view/29/71/ Quote, "AIG, the world's largest provider of cyber insurance, agreed to provide premium credits of up to 15% for companies that join the ISAlliance and subscribe to these best practices. For many companies, the cash value of this discount may be worth more than the entire cost of ISAlliance membership". More details in the Market Incentives Legislative whitepaper here - http://www.isalliance.org/content/view/92/229/ In the last chapter of Geekonomics, David Rice talks to many solutions and incentives besides the "vulnerability tax", but none are quite as coherent (or controversial). I suggest reading the entire book regardless of what you think about what amounts to a very small section/topic. > IMHO, if all developers paid the tax, then I can't see it resulting in > anything other than more expensive software... Perhaps I'm just > missing something, though. David Rice does propose the tax for both software vendors (not sure if this includes SaaS) and consumers, which is stated more clearly in the book. The way he proposes all this doesn't seem like a solution - as many vendors will turn this around on governments and force the consumers to, again, eat the cost of any type of effort. Does anyone expect that software vendors or open-source software makers are really going to be able to produce more secure software because of a "vulnerability tax"? Personally, I don't think this gets very close to the root-cause of software vulnerabilities. Cheers, Andre _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
