What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software?
Fire safety is physical, not tremendously complicated, and we have tons of actuarial data. Software security, on the other hand, is extremely difficult for anyone to measure -- it takes a lot of effort, even with the most advanced tools and knowledge.
So there's no way for anyone to tell which software is secure. Many vendors make dramatically inflated claims about their product's security features and rarely get called on them. For example, there are dozens of vendors claiming that their technology solves the OWASP Top Ten -- which is ridiculous.
Anyway, it's not surprising to me that consumers aren't seeking out security. Or that vendors aren't providing it for that matter. In my opinion, the market is broken because of asymmetric information, and it will never work until we find ways to make security more visible to everyone.
I did a talk on this at the NSA High Confidence Software and Solutions conference a few weeks back. The slides are here http://www.aspectsecurity.com/documents/Aspect_HCSS_Brief.ppt.
--Jeff
Jeff Williams Aspect Security, Inc. www.aspectsecurity.com
