The Need for Customer-centric Signaling in the Software Market presented at AUScert 2009

by David Rice,

Summary : Poorly written, insecure software is no longer a technology issue; it is a public policy issue. The market does not provide significant or compelling incentives for developing secure software, thus current cyber security spending largely deals with the effects of insecure software. In essence, software manufacturers practice unrestrained vulnerability dumping onto downstream market articipants. As such, cyber defenders are too busy mopping the floor to turn off the faucet. This situation must end. This presentation argues that reducing the daily flow of new software vulnerabilities into the global stream of commerce is best accomplished through clear, observable, reliable signals made available to software buyers in the form of software assurance labels. To date, the software industry has no labeling regime in widespread use. Buyers and users of software have little more to go on than vague, unprovable assertions by software manufacturers regarding software quality and security. As a result, software resiliency, security, and quality remain undersupplied and inconsistently distributed at great cost to economic and national security.