In his 2000 article discussing software and complexity, Bruce Schneier, CTO of BT Counterpane, wrote: "The technology industry is driven by demand for features, for options, for speed. There are no standards for quality or security, and there is no liability for insecure software. Hence, there is no economic incentive to create high quality." What's more, Schneier ends the paragraph by saying "...unless customers demand higher quality and better security, this will never change." Eight years later, there remains only modest gains in software security--less on the subject of better coding practices, and more on the subject of vulnerability disclosure.

I recently had a chance to talk with Chris Wysopal (also known as Weld Pond) who offered some insight on why software remains insecure. Wysopal was an early member of L0pht, started the VulnWatch mailing list, and most recently cofounded Veracode, a company that provides binary analysis to software developers to find flaws before they ship their software. But the goal of holding software vendors accountable or maybe one day providing an independent seal of approval for software products remains elusive.

Vulnerability reporting today
I asked Wysopal about the current state of vulnerability reporting. Currently, a researcher will privately inform a software vendor there's a problem. In an ideal world, that vendor will drop everything and first see if the vulnerability exists; then, if it does, issue a patch. Wysopal called this a Vendor Best Practices, as well as a Researcher's Best Practices to give the vendor a chance. The problem, says Wysopal, is that it's a pretty vague standard.

	Wysopal said 'I think the average computer user takes it for granted that there's some problems in the software somewhere.'

Wysopal says that some security flaws can be fixed in a day, tested in a couple of weeks, and the vendor should have a patch out within a month. But he says, "I can see it take a couple of months to fix, maybe a couple of months to test. So it is somewhat relative. But it shouldn't be taking more than three months to fix the vast majority of security flaws."

Awareness by users
I asked Wysopal if there is enough awareness among computer users about vulnerabilities, or is it still something that we in the computer community talk about and people outside of that don't really think or know about it? Wysopal said "I think the average computer user takes it for granted that there's some problems in the software somewhere."

Wysopal agreed. 'If there was some sort of a seal of approval on software that could kind of be the start of something very simple.'

"They don't understand where (the flaws) are and, every once in a while, they lose data, or their identity gets stolen, or the system crashes and they have to install a patch. I don't think they have any awareness that the software from one place would be better than from another, or that they can make changes to make their system more secure. I don't think that education is out there."

A seal of approval
I've floated this idea since 2001: Why not have an independent third party vet software? Wysopal agreed. "If there was some sort of a seal of approval on software, that could be the start of something very simple. A user could look at it and say, 'You know, this software has actually been tested by a third party and got a seal, but this product hasn't had any testing.'"

He said there have rumblings in the field about the need for such an entity for years. "We have it in every other industry, from five-star safety ratings on cars to UL tags on electric appliances. Not that anyone really looks at those any more, but they probably did back in the '30s."

Big business
Rather than wait for a third party to emerge, however, Wysopal thinks a different solution may happen first: The big customers (read: large corporations) are going to start to demand software testing. "This is what we saw happen with Microsoft. When they had problems about six years ago with all these worms, Microsoft's big customers said, 'You know what? This is costing me so much money, I'm just not going to upgrade to Windows; I'm going to move to Linux.'" Wysopal said that Trustworthy Computing and all the recent security talk from Microsoft came from not from concern expressed by home users, but from the big, corporate customers getting upset.

"I think that for software to get better, we have to have the purchasers of the software, especially the influential ones, the large, Fortune 100-size companies that spend billions and billions of dollars on software...to say, 'You know what? I need some sort of a third-party check on this software before I sign the check and then pay you for it.'"

Why software still sucks
I think the economic incentive is key. Until we as customers--big and small--start voicing our dissatisfaction by not buying insure software applications, it's unlikely that software vendors will change their ways. Why should they? On the other hand, as Schneier and others have noted, with the increasing complexity of modern software, the numbers of connections being asked to be made and the numbers of user-driven customization features, no software vendor can test every possible configuration of their 'ware.

But there can be set of Best Practices that all the vendors adhere to and possibly the assurance that one product with a seal of approval will also play nice with other products carrying the same seal. If so, then we can start to build a foundation of trusted software. Until that happens, it's very much caveat emptor.

You can hear more of Wyospal's comments in this week's Security Bites podcast.

Will the big customers demand that non-Microsoft software be secure in the near future, or will software continue to suck? TalkBack to me.