On Nov 29, 2007 2:47 PM, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote:
>
> The article quotes David Rice, who has a book out called
> "Geekconomics: The Real Cost of Insecure Software".  In it, he tried
> to quantify how much insecure software costs the public and, more
> controversially, proposes a "vulnerability tax" on software
> developers.  He believes such a tax would result in more secure
> software.

I like contractual approaches to this problem myself.  People buying
large quantities of software (large enterprises, governments) should
get contracts with vendors that specify money-back for each patch they
have to apply where the root cause is of a given type.  For example, I
get money back every time the vendor has a vulnerability and patch
related to a buffer overflow.

I wrote a small piece about this:
http://securityretentive.blogspot.com/2007/09/buffer-overflows-are-like-hospital.html

Turns out that the federal government isn't paying for avoidable
outcomes anymore.  Certain things fall into the rough category of
"negligence" and so aren't covered.  We ought to just do this for
software via a contracts mechanism.  I'm not sure we want to start out
with a big-bang public-policy approach on this issue.  We'd want to
know a lot more about how the economics work out on a small scale
before applying it to all software.

-- 
Andy Steingruebl
[EMAIL PROTECTED]
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to