ANALYSIS: Apple’s new security chief, David Rice, has some interesting views on how to improve software security – in particular a vulnerability tax concept.
The soon-to-be global security head believes such a tax could be handled in the same way as pollution, making companies pay for the amount of environmental damage they caused.
“We run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating,” Rice told Forbes this week.
“If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behaviour.”
He cited Gartner figures which estimated it cost around $1 million a year on average for a company with between 2,500 and 3,000 machines to patch its software.
“Let's deal with software, because it's the most significant issue and the most fixable. Insecure software is sending a clear message of disorder into cyberspace, and we need to deal with it at its root,” Rice said.
But could such a concept work? And what kind of impact could a tax make on the security landscape?
Not going to work?
Rice did not go into too much detail about how such a tax would work. Would vendors be fined or would they have to pay out a regular amount depending on how secure their products were?
David Jacoby, senior security researcher for the Kaspersky Lab global research and analysis team, had reservations about the idea.
There would be simply too many “ifs” to deal with, according to Jacoby.
“I personally think that this idea is not going to solve anything because not all vulnerabilities are programmatic vulnerabilities,” he told IT PRO.
“Some vulnerabilities exist because of the local configuration of the server the application is running on. There are also logical flaws that may exist in certain cases, and the severity of the vulnerability cannot really be specified by an external partner, since they have no idea what information the server handles, and how that vulnerability affects the client.”
Jacoby said vendors do need to be responsible for their software and have better routines for testing software.
“But one thing that we have to think about as well is that the hackers that we are fighting are also (in some cases) the people who find… exploitation techniques,” he added.
“What will happen if someone comes up with a new exploitation technique that affects all software written in a certain language?”
Kurt Baumgartner, senior malware researcher at the Kaspersky Lab global research and analysis team, said the tax concept did not seem to take into account many bugs, if not the majority of them, are not exploitable.
“While a creative solution seems to be needed here, I can’t see a tax as a reasonable approach,” Baumgartner told IT PRO.
“Heck, the vendors cannot even standardise a system of quantifying the severity of their own vulnerabilities and patches.”
He added that different proposals could probably “be more reasonable and more suited to the problem.”
Raising the bar
James Lyne, Sophos security expert, said the introduction of a tax could help “raise the bar” so software developers would be compelled to improve security in their products.
However, any tax project would need to be dealt with carefully to avoid damaging new product development,” Lyne told IT PRO.
“Such an initiative had to be managed carefully however, many brilliant technology platforms generating business value start of life as underdeveloped, under resourced applications,” the young security expert said.
“Stifling innovation has to be considered too.”
Lyne agreed with Rice that there was no such thing as “perfect software.”
So, whilst the initiative could not eliminate the issue, it could at least improve the situation.
“This tax is actually more in the category of regulation, trying to make sure companies make appropriate investment to manage the risk (presumably commensurate with resources),” Lyne added.
“Regulation can be effective but needs to be handled carefully to avoid adverse effects.”
He said it was nevertheless positive that Apple was “standing up and wanting to build transparency and drive investment.”
Outside of companies, secure development practices should be instilled in education as well, Lyne said. He claimed many academic bodies were not doing enough to cover this topic.
It seems a vulnerability tax is an interesting concept – one that could really shake things up. Yet the idea clearly needs some more thought if it is to ever be implemented.