Monday, April 21, 2008

On Geekonomics

I am sitting in hotel here in San Antonio, TX (I presented at TRISC 2008 today - it sure was fun!) reading "Geekonomics" (can't work - I have a bit of a flu), provided by my friends from Addison-Wesley.

And you know what? The darn thing is turning me into a software liability advocate (like Bruce Schneier) - I really need to resist that ... :-)

Seriously, I just read another 10 pages and I am already thinking "Some say that if we have software liability, we will lose open source... this is kinda bad ... but such is life" :-(

Somebody please save me this train of thought :-)

3 comments:

dre said...

The darn thing is turning me into a software liability advocate

What?! Someone is responsible for writing vulnerabilities into software? Are you trying to say that modern-day applications aren't SUPPOSED to be hackable?

And yet all this time, here I was thinking that buffer overflows were features and not bugs!

My $2M cyberinsurance policy only costs $10k/year. If myself and thousands of others keep getting our remittance checks in the mail (after watching our rates and deductibles go up), I would guess that the insurance companies will eventually go after who is really responsible -- the software vendors. Maybe it was meant to go down like this.

we will lose open source

I'd like to see a strong government or financial sector organization (or insurance company) go after OWASP for writing ESAPI.

Maybe the only way to create secure applications has to come from an organization dedicated to self-governance by gifting open-source assured components to the world.

dre said...

The darn thing is turning me into a software liability advocate

What?! Someone is responsible for writing vulnerabilities into software? Are you trying to say that modern-day applications aren't SUPPOSED to be hackable?

And yet all this time, here I was thinking that buffer overflows were features and not bugs!

My $2M cyberinsurance policy only costs $10k/year. If myself and thousands of others keep getting our remittance checks in the mail (after watching our rates and deductibles go up), I would guess that the insurance companies will eventually go after who is really responsible -- the software vendors. Maybe it was meant to go down like this.

we will lose open source

I'd like to see a strong government or financial sector organization (or insurance company) go after OWASP for writing ESAPI.

Maybe the only way to create secure applications has to come from an organization dedicated to self-governance by gifting open-source assured components to the world.

Anton Chuvakin said...

Yeah, this whole thing is much more multidimensional than "sue the vendors of bad software until the improve"

Open source has MAJOR advantages as far as code transparency, but will probably not stand up to much suing...

Dr Anton Chuvakin