Experts from SilverSky and Adobe Systems debate on whether or not software developers are incentivized to improve security.
John Viega, EVP, products, strategy & services, SilverSky
Investing in secure software doesn't seem to help make users much safer. Meanwhile, it often detracts from the functionality and usability of software. While nobody would argue that we completely ignore software security, economics and the basic need for practicality call for a more pragmatic approach.
The automobile industry is a great analogy. If safety was truly the highest priority in automobiles, cars would have regulators keeping them from traveling more than five miles an hour, or in the dark – cars would be so useless, we'd probably walk everywhere. But cars are useful enough that we accept risk.
Software is no different. Most users know they could get attacked, but the consequences and perceived level of risk are too low. So people don't care, and the market lives with insecure software.
Bottom line: If the benefits of a software security program justify the return on investment, then organizations should invest. But generally, the costs vastly outweigh the benefits. It's all about economics.
Brad Arkin, CSO, Adobe Systems
I consider the economics of the end-user to be the most important concern. All it takes is one vulnerability to be widely exploited, and then the impact that exploit can have on targeted organizations can be catastrophic. All widely deployed software products should be hardened against attack as part of the original design. This includes steps such as threat modeling, spec reviews, code reviews and hands-on pen testing.
Unfortunately, even though the industry is not yet mature enough to decipher what actually works well, people have stepped in with regulation prematurely – and it's been a bad thing for almost everyone involved. Look at PCI – it hasn't stopped credit card breaches. It's not helping the end-user much, and it's keeping vendors from spending time and money on measures that could have a much more positive impact as we learn more about how to build robust systems. Rather than wasting resources on compliance with ineffective standards, software developers should be doing things that actually help secure software.