On Nov 29, 2007 6:07 PM, Blue Boar <[EMAIL PROTECTED]> wrote:
> Andy Steingruebl wrote:
> > I like contractual approaches to this problem myself.  People buying
> > large quantities of software (large enterprises, governments) should
> > get contracts with vendors that specify money-back for each patch they
> > have to apply where the root cause is of a given type.  For example, I
> > get money back every time the vendor has a vulnerability and patch
> > related to a buffer overflow.
> That changes the incentive to hide security bugs and not patch them or
> to slipstream them.

Any regulatory regime that deals with security issues is subject to
the same thing.  Whether its PCI and eluding Auditors or SOX-404 and
documenting controls, you'll always have people that want to try to
game the system.

I'm not suggesting that this is the only solution, but from an
economics and motivation perspective SLAs related to software and
security features are more likely to work and incur lower overhead
than a regulatory regime that is centrally administered.

Sure, there are going to be pieces of software that this scheme won't
work for or where there aren't very many bulk purchasers, only 1-off
purchasers.  Things like video games for example where there aren't
large institutional purchases.

That said, I think contracts between large consumers and software
producers would be a good start to the problem.

Andy Steingruebl
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to