Why can't I sue my software provider?

Imagine buying a new car, fixing its number plates on and driving it off to the autobahn in order to test whether the 250km/h top speed on the speed meter is genuine. However, there's too much traffic,and  you have to slow down. You hit the brakes but they don't respond. You break through the crash barrier, enter a field and manage to stop the car. You are not hurt, but the car is a write-off…

 

Fortunately, you will not lose out. A car's safety is the responsibility of the manufacturer and you can sue them for compensation. Even worse for them, if it turns out to be a design flaw they will need to recall and fix all the cars of that model – at their expense. Thus, legal requirements and pressure from clients and automobile clubs ensure that cars are reliable and safe.

Now, imagine you’ve just downloaded a new web browser. You install it on your laptop and connect to the Internet. But your new browser is flawed, and malicious attackers quickly exploit its vulnerability. They manage to hack your Amazon, e-bay and Paypal accounts and go off shopping with your money. You might not be the only one concerned: hundreds of thousands of other people may be affected, and millions of dollars of losses may be incurred. But when you notify the corresponding software provider, you get nothing but silence. Only after a few months, after security companies and the media have repeatedly reported the security risks associated with the browser, does the provider issue a short statement and acknowledge the facts.

As I expect my car to be safe, I also expect the software I use to be secure. Unfortunately, the latter seems not to be the case. So who has to do the due diligence when using/providing software applications? Why is it that security is not handled like safety? Why can I sue my car manufacturer but not my software provider?

I believe the roots of this mismatch lie in the fact that many software packages are flawed from design, that many technologies have valid use cases but can at the same time be misused and that many companies just don’t care. Money and legislation are the best incentives for making reasonably secure software. But there is no regulation (yet) requiring Adobe, Apple, Microsoft or Siemens to make security a priority.

Microsoft has learned its lesson, having been clobbered in the past due to its insecure pre-Windows XP SP2 operating system, and is actively pushing for a secure software development life cycle. Money was the driving force. Apple seems to do well in providing secure software but its communication when dealing with new vulnerabilities leaves much to be desired. Siemens learned its lesson after the Stuxnet attacks against its PLCs and is now reviewing how to thoroughly deploy security as another development criteria.

So, we are still left with the consequences. We are the ones who bear the costs of their vulnerabilities. We are obliged to take protective and detective measures. We have to carry the costs of patching and anti-virus software. We have to do due diligence… Image if you had to do the same for your car! So, do we need regulations and laws to force software vendors to provide better, inherently secure code and protected devices? We are eager to hear your opinions. Write to us at Computer.Security@cern.ch.
 
By the way, what is a good incentive for you to provide secure code? Remember our Bulletin article on “A Short Tale of the Black Sheep of –ITY” and that security has to form an integral part of the overall picture in the same way as availability, functionality, maintainability and usability. More secure code means fewer interventions to fix and patch problems, thus increasing availability and improving maintainability. More secure code means better control of user interfaces and user inputs, thus enhancing usability and functionality. If you would like to learn how to do better, contact us at Computer.Security@cern.ch for consultancy or a dedicated full-scale security audit, or check out our dedicated training sessions on secure coding scheduled for September 2013:

For further information, please contact the Computer Security Team or check out our website.


Access the entire collection of Computer Security articles here.

by Computer Security Team