Pogo said it best: “We have met the enemy and they is us”. Bob Blakely asks us the vendors four basic questions on security:
Are we willing to give anything up?
Are we willing to do anything different?
Are we willing to take any blame?
Are we willing to give any guarantees?
The answer to all of these questions really depends on who we is. I am not, for instance, willing to give up earning a paycheck in the software industry. Which means the things I am willing to give up or do different is constrained by the other we’s that determine the success or failure of my employer.
Let me give you an example; Vista UAC. Here is an example of a classic trade-off between security and convenience. And the users hate it. Worse for Microsoft it’s presence hasn’t helped sell Vista even for business use.
So what we are willing to give up and do different is constrained by a market that wants security without any additional cost, or effort on the end user.
How about open source? Who gets the blame for those vulnerabilities?
As for guarantees, they are a good idea, but there has to be a limit. No software company can take the liability for the end users losses in a security breach. The reason is simple. The liability is open ended, but the cost of the software is not.
While Bob’s questions are interesting, they are not the important ones. The important questions are:
Are you as the consumer willing to factor security into your buying choices?
Are you willing to pay more for higher security?
Are you willing to have fewer features if it means a more secure system?
Are you willing to take responsibility for your own actions?
The answer to these questions today is no.