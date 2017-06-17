What Happens When Software Companies Are Liable For Security Vulnerabilities? (techbeacon.com) 142
mikeatTB shares an article from TechRepublic: Software engineers have largely failed at security. Even with the move toward more agile development and DevOps, vulnerabilities continue to take off... Things have been this way for decades, but the status quo might soon be rocked as software takes an increasingly starring role in an expanding range of products whose failure could result in bodily harm and even death. Anything less than such a threat might not be able to budge software engineers into taking greater security precautions. While agile and DevOps are belatedly taking on the problems of creating secure software, the original Agile Manifesto did not acknowledge the threat of vulnerabilities as a problem, but focused on "working software [as] the primary measure of progress..."
"People are doing exactly what they are being incentivized to do," says Joshua Corman, director of the Cyber Statecraft Initiative for the Atlantic Council and a founder of the Rugged Manifesto, a riff on the original Agile Manifesto with a skew toward security. "There is no software liability and there is no standard of care or 'building code' for software, so as a result, there are security holes in your [products] that are allowing attackers to compromise you over and over." Instead, almost every software program comes with a disclaimer to dodge liability for issues caused by the software. End-User License Agreements (EULAs) have been the primary way that software makers have escaped liability for vulnerabilities for the past three decades. Experts see that changing, however.
The article suggests incentives for security should be built into the development process -- with one security professional warning that in the future, "legal precedent will likely result in companies absorbing the risk of open source code."
"People are doing exactly what they are being incentivized to do," says Joshua Corman, director of the Cyber Statecraft Initiative for the Atlantic Council and a founder of the Rugged Manifesto, a riff on the original Agile Manifesto with a skew toward security. "There is no software liability and there is no standard of care or 'building code' for software, so as a result, there are security holes in your [products] that are allowing attackers to compromise you over and over." Instead, almost every software program comes with a disclaimer to dodge liability for issues caused by the software. End-User License Agreements (EULAs) have been the primary way that software makers have escaped liability for vulnerabilities for the past three decades. Experts see that changing, however.
The article suggests incentives for security should be built into the development process -- with one security professional warning that in the future, "legal precedent will likely result in companies absorbing the risk of open source code."
Re:Liability (Score:5, Insightful)
Liability is what's gonna kill the free software movement. Many reasons.
Liability for general purpose computing is not going to happen. It would make software way more expensive, and mean locked down desktops and laptops that prevent users from downloading, connecting, and configuring. People are not going to accept that.
For safety critical software, such as automotive control (not infotainment), elevator systems, etc. we already have liability regulations.
Liability for a insulin dispenser makes sense. Liability for a free webapp does not.
Re: (Score:1)
Liability for a free webapp does not.
With liability there will be no free web app or at least no free American made web app.
Re: Liability (Score:2)
Re:Liability (Score:4, Interesting)
Liability is what's gonna kill the free software movement. Many reasons.
Liability for general purpose computing is not going to happen. It would make software way more expensive, and mean locked down desktops and laptops that prevent users from downloading, connecting, and configuring.
In addition to that, we have the most vulnerable OS being the biggest OS, and the Chinese building the Internet of things essentially open systems, so what would we do? Sue them?
It isn't to blame the victims here, but the ascendency of personal computing for the masses means that most computing devices are owned by people with very little idea of security. In a world where people click on random stuff they get in email, it's gonna be very hard to get any real security.
Re: (Score:2)
This kind of thinking pisses me off.
It's a goddam computer.
You and I know what best practices are, so why the fuck don't we "AI" the computing devices?
Meta Code (I never met a code I didn't like):
- See email attachment
- Examine attachment code
- Predict consequences
- Vet the code against:
Isaac Asimov's "Three Laws of Robotics"
A robot may not injure a human being or, through inaction, allow a human being to come to harm.
A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
Re: (Score:3)
Re: (Score:3)
Then you're not the person to tackle this issue.
Microsoft did (as mentioned above) glue their hardware together.
That fixes a lot of problems.
Microsoft will find a solution to security when it's cost-prohibitive to continue to ignore the problem.
Re: (Score:2)
Re: (Score:1)
You're apparently unaware that Asimov's collection of short stories in "I, Robot" was a warning that even those three seemingly simple rules result in fallible robots.
Re:Liability (Score:5, Insightful)
Liability for "free" software rests with the people who use it to make money. They are the ones on the hook to ensure that the "free" software is suitable for the purpose for which they are selling it.
Organizations which use "free" software directly are themselves responsible for whatever happens as a result of using that "free" software.
GPL is rather long-winded - take a look at the MIT license for a notion of where liability for "free" software lies.
Before you say "that's gonna change when liability comes into the picture" - no, not at all - people writing software who don't know how it is going to be used cannot conceivably be held liable and more than Sir Issac Newton's estate could be held liable for a mishap on the space shuttle.
Re: Liability (Score:2)
Yes, and liability stops with whoever put it in that safety-critical system without assurances from a third party that the software was fit for such use.
Similarly, a lumber yard is not liable if someone is particle board where high-tensile, fire-resistant, waterproof material is indicated.
Re: Liability (Score:1)
You get what you didn't ask for (Score:1)
Even if I act as a true professional and do exactly what I'm expected to do to deliver secure code...ill get fired.
This doesn't align with the business interest. If it costs money and doesn't save money or make money you're wasting your time.
It doesn't matter what the developer wants, ROI is king. Everything else is a firing offense.
Re: (Score:3, Insightful)
It has to be like a legal obligation in large software or certain domains to pass like either:
- HP Fortify (HPFOD)
- IBM AppScan
- Coverity
or similar security scans
Open Source does not need to pass this, but users* of those libraries / programs
should pass this and then pass the scan.
Some of these companies provide "free scan" for Open Source / public GitHub projects.
It happened to us, that HPFOD would find bugs in some Maven Java Libraries JAR file
that we had to patch ourselves, in order to be put that JAR in
Re: You get what you didn't ask for (Score:3)
If it's such a security issue, shouldn't it already be done correctly in the library or the logging system? These sorts of things is exactly what a developer shouldn't have to worry about. If the underlying system receives a string from a Log library, it should either be cleaned or the underlying system should clean those up.
LogForging (Score:1)
We simply developed our own Logging framework tools over Log4J,
similar syntax to SLF4J, but proper,
like so many common examples on StackOverflow.
Unfortunately, Log4J / SLF4J did not patch for this yet... to my knowledge.
They log as is, which is what you want in dev mode,
but not in production mode and there is no security flag to go around it.
There are so many rules when you do web apps
and if you think that just adding Spring Security
and similar framework will make you pass HPFOD
then you are very far from it
Re: (Score:2)
And our software does have serious problems. People still write SQL injection bugs, for unknown reasons.
Re:You get what you didn't ask for (Score:5, Insightful)
If your company were going to be held liable for security vulnerabilities, finding and plugging these holes during development would be part of your job. As things are, there's no reason to look for or deal with them unless there's a way to make your customers pay for it. This holds true for all custom software, either open or closed source.
Re: You get what you didn't ask for (Score:4, Informative)
If your company were going to be held liable for security vulnerabilities, finding and plugging these holes during development would be part of your job. As things are, there's no reason to look for or deal with them unless there's a way to make your customers pay for it. This holds true for all custom software, either open or closed source.
It really depends on how big the company is, how often they get busted, and what exactly they are liable for. As it stands now, the average small company can go 20 years without an incident. The small company that skips on security can likely outcompete and outlast the small company that doesn't. Sure if they get unlucky and have a security incident, it could bankrupt them but the odds are in their favor that skipping security gives them a competitive advantage to the company that doesn't.
Re: (Score:3)
The developers aren't at fault. The people in charge have to be the ones to demand security. Blaming pros and cons on Agile or DevOps misses how companies really work. If the management puts security as a required feature, then it'll get added in even with Agile. Nobody should be dumb enough to allow bottom tier developers to set their own goals.
You also need management to actually hire security experts. A lot of failures come from having novices work on security (novices can mean those with decades of
Nada (Score:2)
Re: (Score:1)
Software developers need secure libraries to work with. At least one exists secure library [vanilla-js.com]
Re: (Score:3, Insightful)
You cannot build a secure application without planning the whole thing out first. This ADHD / MBA / lazy fuck / quick profits / fuck the customer approach to development ("agile") is a cult kool aid, and all the young ones drank it.
It will take computer science decades to recover from this, if it ever does. I think we may have already peaked.
Re: (Score:2)
What sorcery is this [imgur.com]?
File contents stored alongside metadata in the filesystem, because it fits? Not sure which FS you're using, and now sure on Windows 8/8.1/10 report on such things.
Re: (Score:1)
In general, people and orgs will NOT pay extra for security when given a choice. That's just the way it is.
Re: (Score:2)
Sure. Just up the price to cover the legal problems and settlement fees and you're set. Why bother change the software? In the end, the whole shit is a matter for risk management, not engineering.
it's done all the time in aviation (Score:3, Informative)
In spite of people confusing inflight entertainment systems with avionics, yes is is done all the time j. The aviation industry. Every piece of software that controls the airplane must be built to RTCA DO-178B/C design processes. Among other things, every input and output to every module is specified in the design process, and out of bound input responses are chosen. Then in writing the software, the inputs are checked, and then validated against random and maliciously crafted input. Bogus states are inject
Re: (Score:3)
It's not really that much more expensive, as mature engineers aren't really more expensive than programmers, are a lot more effective, and the debug cycle is a lot faster when it's designed in at the front.
Dude, I worked in this industry. Its FUCKING INCREDIBLY EXPENSIVE. Like on the order of 100x more expensive than writing line-of-business commercial software. A 10 line subroutine can EASILY require 100 hours of engineering and testing to meet spec. Everything has to be written out in some sort of design document beforehand, every requirement flowed down to lines of code that cover it, documented test cases that cover each requirement, total coverage of all possible inputs at every call boundary, etc.
I mean
The price will skyrocket (Score:2)
Just look at medical devices. They don't cost that much to make but have to go through a long certification process that needs to be paid back.
Same with software. Something like SOX, PCI or HIPAA will pop up to certify "secure software" and software that is patched on a regular basis and people will end up paying for it. And on top of that every piece of software will be "certified" on some platform, similar to a game console. If you run it outside of the certified hardware you lose the ability to sue.
You'r
Re:The price will skyrocket (Score:5, Informative)
And yet, ironically, that certification process does not cover security. The software on medical devices is well known for being almost ludicrously insecure.
Re: (Score:2)
This price hike won't either.
And just like the price hike with medical devices, it will be mostly to cover the additional cost for legal battles and settlements. Life has a price, ya know...
Re: (Score:2)
Doesn't matter. After the lawsuits of the 80's and 90's there are now "best practices" and "standards of care" and standards for almost everything because you can't just sue. You have to prove someone did something wrong.
Same here. Industry will make up some best practices, it will be a certification or some other process that costs a lot of money, it will mean hiring people to push the paper and make sure the paperwork is right and everyone will pay.
Re: (Score:2)
The whole medical ecosystem is seriously screwed up, starting with the reimbursement models. They scream high costs, but one particular med device company I worked for spent $600 per device full up for production and FDA overhead. They sold for $15K and the company was barely breaking even. Where did the other $14K+ go? Mostly sales and marketing, also lobbying for increased reimbursements.
Answer: It won't happen. (Score:2)
If not already, there will be a clause added to the Terms and Conditions saying, "(a) We're not liable and (b) all disputes will be settled via arbitration."
Re: (Score:2)
Now only the laws of your country must allow that.
New Zealand (Score:1)
In NZ we have the consumer guarantees act.
In effect it says they must be fit for purpose, free of defect, and have a reasonable expectation of life.
This is in addition to warranties, so the warranty for a refrigerator may be 12 months, the CGA would say 10 years.
The CGA also says that the supplier is also liable for any additional harm, e.g. your phone catches fire and burns the house down, the supplier is able for all losses including the house, accommodation while it is rebuilt etc.
You can also NOT contra
Re: (Score:2)
According to the sites about the CGA I've found, it does cover software. However, it doesn't cover anything sold "for commercial use", so business software wouldn't be covered. An OS or program bought for home use would be, though. Open source would not be covered as only item sold "in trade" are. Private sales are not covered, so custom software made on contract would not be covered.
Re: New Zealand (Score:2)
Re: (Score:2)
And then everyone comes around and cries out "Why does the US price for [item] is $500 and I'm paying $1000 for it?!"
There
The maturing of the profess (Score:3)
... software takes an increasingly starring role in an expanding range of products whose failure could result in bodily harm and even death. Anything less than such a threat might not be able to budge software engineers into taking greater security precautions.
What you are seeing is the maturing of software engineering as a profession. A few hundred years ago if you needed surgery you would go to your barber [wikipedia.org]. The reason for this was that they were usually in possession of the right tools. The medical profession eventually matured to what we have today, where a surgeon is a specialized physician. But that didn't happen overnight and lots of people died in the process. In fact, we didn't even have a theory of infectious disease until the 1830s.
The point is that right now hardware, including its firmware components, is oftentimes made without the involvement of a software engineer. It wasn't that long ago that software engineers didn't even exist and in time as the profession matures we will get to the point where developing a piece of hardware without the participation of a software engineer will be unthinkable. But we are not there yet.
An important side note is that there is a difference between a coder, a developer, a programmer, a software engineer, and several other specialized disciplines in the software arena. I think that a precondition to solving the problem identified by the article has less to do with things like development methodology (that is not central the problem at hand) and more to do with establishing minimum standards for some who claims to be a software engineer. For instance, a surgeon in 2017 has to meet vastly different minimum qualifications than a surgeon did in 1917. We didn't even have software engineers a hundred years ago, so who knows what it will actually looks like by the time the field really starts to mature.
"Security" and "move toward agile development" ? (Score:2)
Sorry, I stopped there, at "Even with the move toward more agile development and DevOps". What's the link, supposed positive here, between the two ?
Both "old" and "new" method won't never mean better software than the people using them.
Bad engineers using old method (V cycle ? Tons of documents ?) or new methods (you said agile, as in "get as many things done as possible, as quickly as possible, using shiny web app like Trello or Kanban-something" ?) won't make secure software.
May be with good engineers, yo
Re: (Score:2)
Couldn't agree more. The notion that the road to computing security runs through agile and Devops seems to me to be as unlikely as the notion that the way to get you and your bicycle from New York to Bermuda is to head off on said bike for the Bering Strait (in Winter) so you can get to Singapore then think out your next step.
FWIW, I think the road to computing security probably is ill paved, difficult, unpleasant and involves shrinki
Don't see how it could work. (Score:1)
It is hard enough to produce a finished (or, rather, deployable) software product without adding impossible constraints on it. Harder still to make a profit out of it if you are going to have to carry liability insurance assuming that would ever be available.
My current project is a web application with client-side javascript, running on top of an unknown operating system, connected via the Internet via unknown switches and routers, with the back end with two Linux Virtual machines provided by a vendor whos
Software Engineers Failed? (Score:4, Insightful)
Software engineers have largely failed at security. Even with the move toward more agile development and DevOps, vulnerabilities continue to take off. More than 10,000 issues will be reported to the Common Vulnerabilities and Exposures project this year.
How about you get what you pay for? Many management teams have decided that adding security costs money and it's more cost effective not to spend many cycles on it, but rather to just deal with problems as they pop up.
I don't think you can spin that as software engineers "failing." If the management wants security, they can pay for training, consultants, audits, bug bounties, etc. There are lots of ways to address this issue. Besides, perhaps the number of bugs is skyrocketing as a natural consequence of all of the new software projects and products.
Re: (Score:2)
And since companies are not really known for sitting on costs, expect software (and hardware) prices to skyrocket.
Re:Software Engineers Failed? (Score:5, Insightful)
So very much this. Given the notion that out of fast, cheap, and $x, you can have any two; it's practically a truism that PHB/MBA types will always choose fast and cheap, no matter the value of $x. The only exceptions are when you're contractually or legally obligated to have $x, such as in PCI or HIPAA environments. And even then, fast or cheap is only given up for $x very begrudgingly, and sometimes only on paper but not in reality.
Re: (Score:2)
Software hasn't had it's "Pinto" moment yet, where a jury decides that a company needs to be punished for that type of calculus.
Re: Software Engineers Failed? (Score:2)
There's a problem with dodging responsibility. (Score:1)
Eventually responsibility will come looking for your ass.
If it's not secure, it's not working. (Score:2)
Automated test should be including known attack vectors, if the build is vulnerable, the build fails.
Re: (Score:2)
If it's not secure, it's not working.
so your saying no one has ever written working products yet? if that is your definition of working then there will never be any working products, security can never be absolute.
Re: (Score:2)
The problem with that is that most security issues are a result of attack vectors that were not known yet when the software was under development.
Software patches address that - so software when released may be tested against known attack vectors, security patches are also tested against known attack vectors, just a few more of them as more become known over time.
Simple (Score:4, Funny)
We'll essentially get shrink-wrap contracts that basically say "This software can't do shit, if you use it regardless, sucks to be you."
In other words, what we already have.
Re: (Score:2)
Isn't that in most EULAs already?
You can always find something in the lines of no guarantee, explicit or implied, that this software is fit for any purpose.
Re: (Score:2)
It's management that won't pay for properly written, properly tested software. That takes time (measured in metric shit-tons), and that makes it too expensive in every case I've ever seen.
Security cannot possibly be the result of dotting every i and crossed every t. It cannot require exhaustive testing, massive expenses, being very careful with critical attention to every detail. Any approach requiring these things for success is almost certainly guaranteed to fail. Security must never require human perfection.
The only realistic way to get to a secure system is by perusing designs which are inherently secure where coders are required to intentionally create a vulnerability or otherwise kn
Trusting trust (Score:1)
Who are these "experts"? (Score:5, Informative)
Reading the article, it's all people with an interest in peddling solutions to the problem, naturally. This is a marketing paper.
Claiming that Software Engineers have "failed" at security is akin to claiming that police have "failed" at crime stopping crime. And the courts aren't going to suddenly start blaming companies for the actions of threat actors unless there is some representation that the products they're creating are unhackable.
That depends on how you define company (Score:2)
If it were literally only companies which were on the hook, you'd see a bloom (not a renaissance, because there has not been a dark age yet) of OSS. If companies are liable, but J. Random Coder on the street is not, then you're going to see FoSS take center stage simply due to lack of liability.
Re: (Score:2)
Uh, no. Given a choice between "use product from A and if there is a problem they are liable" and "use FOSS product and if there is a problem I am liable", who do you think is going to go with the second option?
Re: (Score:3)
Uh, no. Given a choice between "use product from A and if there is a problem they are liable" and "use FOSS product and if there is a problem I am liable", who do you think is going to go with the second option?
You haven't read a EULA lately, have you? That's how it is now.
Software has already killed people (Score:2)
Not a security vulnerability - as in, no malicious actor exploiting a security flaw - but killing people? BT,DT. https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
The problem, then, was poor product (hardware) engineering and a series of lapses in judgme
Programming practices. (Score:2)
If (and that's a big "if") companies become liable for software failures then it will be most likely that there will be a guideline of standard programming practices. Likely it would restrict companies to using programming languages that have already been heavily analyzed and their security weaknesses identified. CMU has composed guidelines for multiple languages and platforms [cert.org] which could easily be identified programmatically. Such regulation would be a deathblow to companies using script kiddies to scra
Hopefully good things (Score:2)
Oh shit, now wireless cameras cost $49.99. But they're secure? Works for me.
Security is not Safety (Score:2)
Safety and security are independent requirements. An expensive insurance bill or loss of operational trust is not a measure of safety.
In the real world of buildings and machinery security is only occasionally a factor and often clashes with safety. Safety is always number one at the expense of security.
Re: (Score:2)
So who're you going to sue? The retailer? The distributor? The importer? Or will you try going after the producer - overseas, different jurisdiction, and possibly out of business already (or simply shut this company and moved on to the next).
Re: (Score:2)
I think you might have replied to the wrong posting.
Oh give me a break. (Score:2)
Even with the move toward more agile development and DevOps, vulnerabilities continue to take off
Last time I checked, both of those fads tend to harm security, not help it.
Doesn't matter. (Score:2)
It's bad (Score:2)
Look what happened to general aviation when cessna, piper, et al got the pants sued off them. A small 4 place plane used to cost about as much as a mid range Cadillac, after the lawyers got through with them they cost $200k.
hate this (Score:1)
Well doctors really fail at immortality, so blame them for that as well. You can't fine a doctor every time a patient dies. It's not always the doctor's fault. People die. We don't understand human body enough to prevent that.
Software engineers (usually) do the best we can. Software systems are some of the most complex systems humans have created. We go into software development knowing we will never fully understand how the software works. But we can still create something that is useful, even with that li
Let me fix the summary for you: (Score:2, Insightful)
"Even with the move toward more agile development and DevOps, vulnerabilities continue to take off..."
Should read as follows:
"Because of the move toward more agile, less detail-oriented, lower quality development and DevOps, vulnerabilities continue to take off..."
Software engineers fail at security? (Score:1)
The root cause of the vast majority of security failures is Microsoft Windows running on Intel hardware.
Microsoft never innovates, but does improve ideas (Score:2)
Could have been the entry point for an insightful analysis. You didn't comment (or notice) that it's not a spurious correlation. The EULA was perfected by Microsoft so that liability was eliminated as a real concern for the developers.
I think the other major wrinkle perfected by MS was selling to the makers, not the actual users.
There are other possibilities, but because the rules of the game are biased for YUGE companies, not increasing consumer choice and freedom, we're screwed. I suppose Trump's voters h
Security will only happen ... (Score:2)
... in response to litigation.
I predict the EULA inclusion of waiver of liability is going to be removed.
It's similar to signs in the parking lots of Walmart saying, "Not responsible for damage from shopping carts."
While that sign may discourage some shoppers from filing damage claims, it certainly does not protect Walmart from liability in all cart-related matters.
As TFS suggests, computing devices are becoming more critical and damages more damaging.
Agile? (Score:2)
Anyone care to explain how agile is supposed to improve security?
It's not the software companies that get hosed (Score:2)
To which I say, good fucking riddance.
The sane solution is of course... (Score:2)
... to define a "state of the art" regarding security. It should contain things like not mixing user input with SQL-queries, unless it goes through a whitelist of characters or is escaped by a proven to work function.
Essentially that "state of the art" should always be a bit above what idiots do in order to weed out idiots. Ideally it's defined in a way that that compilers can prove it working. (in the above case, user input strings and SQL-queries could have different types)
Slowly, but surely you'd raise t
Large software corporations would benefit (Score:2)
Large corporations have armies of attorneys to cover their asses. Liability for software faults would benefit them because they have the resources to kill most any lawsuit against them. The opensource world, however, would whither and die because no weekend coder is going to risk everything because of a mistake. Expect large corporations to fully endorse software liability laws since it will remove the one kind of competition that they can't compete against on cost or functionality.
Agile and DevOps (Score:1)
"Even with the move toward more agile development and DevOps, vulnerabilities continue to take off..."
Agile (and possibly to a much lesser extent DevOps) are a part of the problem, much more than a part of the solution, even when they are implemented properly. The key problem with Agile in security terms is that the concept is entirely based around the lack of up-front design. While we have to accept that up-front design isn't always possible (how many clients today are capable of formulating exactly what t
Cost driven develupment. (Score:2)