ANALYSIS: Apple's new security chief, David Rice, has some interesting views on how to improve software security in particular a vulnerability tax concept.
The soon-to-be global security head believes such a tax could be handled in the same way as pollution, making companies pay for the amount of environmental damage they caused.
"We run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating," Rice told Forbes this week.
"If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behaviour."
He cited Gartner figures which estimated it cost around $1 million a year on average for a company with between 2,500 and 3,000 machines to patch its software.
"Let's deal with software, because it's the most significant issue and the most fixable. Insecure software is sending a clear message of disorder into cyberspace, and we need to deal with it at its root," Rice said.
But could such a concept work? And what kind of impact could a tax make on the security landscape?
Not going to work?
Rice did not go into too much detail about how such a tax would work. Would vendors be fined or would they have to pay out a regular amount depending on how secure their products were?
David Jacoby, senior security researcher for the Kaspersky Lab global research and analysis team, had reservations about the idea.
There would be simply too many "ifs" to deal with, according to Jacoby.
"I personally think that this idea is not going to solve anything because not all vulnerabilities are programmatic vulnerabilities," he told IT PRO.
"Some vulnerabilities exist because of the local configuration of the server the application is running on. There are also logical flaws that may exist in certain cases, and the severity of the vulnerability cannot really be specified by an external partner, since they have no idea what information the server handles, and how that vulnerability affects the client."
Jacoby said vendors do need to be responsible for their software and have better routines for testing software.
"But one thing that we have to think about as well is that the hackers that we are fighting are also (in some cases) the people who find exploitation techniques," he added.
"What will happen if someone comes up with a new exploitation technique that affects all software written in a certain language?"
Kurt Baumgartner, senior malware researcher at the Kaspersky Lab global research and analysis team, said the tax concept did not seem to take into account many bugs, if not the majority of them, are not exploitable.
"While a creative solution seems to be needed here, I can't see a tax as a reasonable approach," Baumgartner told IT PRO.
"Heck, the vendors cannot even standardise a system of quantifying the severity of their own vulnerabilities and patches."
He added that different proposals could probably "be more reasonable and more suited to the problem."
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Software vendors are flocking to CISA’s Secure by Design PledgeNews CISA’s Secure by Design Pledge is picking up momentum, adding a further 100 companies to its list of signees since May
-
In web browsers we should not trustIn-depth Davey Winder explains why end users should be wary of putting too much trust in their chosen web browser
-
Mozilla rush-releases Firefox security patchNews Web browser software vendor patches up Firefox URL tracking hole.
-
Mac OS X update fixes over 130 vulnerabilitiesNews More than 130 security flaws have been fixed in the latest Mac OS X update.
-
Criminals fail to spread Apple Mac email wormNews Threats targeting the Apple Mac OS have been increasing, with a new worm following hot on the heels of the first Mac botnet.
-
Apple releases bumper pack of Christmas security fixesNews As Apple patches up a number of flaws, some users criticise the Mac giant for its attitude to security.
