[Owasp-brazilian] Insecure software costs US $180bn per year - interesting story

Cesar de Afonseca e Silva Neto cesar at leadcomm.com.br
Tue Apr 22 16:29:09 EDT 2008


Não sei se chegaram a ver isto – muito “bom” !




Cesar de Afonseca e Silva Neto

LeadComm Performance & Security Solutions

5511 5505 0505 Office
5511 8101 0002 Mobile

 <http://www.leadcomm.com.br/> www.leadcomm.com.br



FYI:  An interesting article and book.  Would help our biz a lot if his
ideas were made into a reality.


Some nice stats as well:

*	that the actual cost of insecure software to the U.S. is at least
$180 billion per year
*	the U.S. cybercrime market is around $117 billion


Insecure Software Costs US $180B per Year ole0.bmp
'Vulnerability tax' might be the answer, says SANS instructor and security
expert David Rice 
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Consumers have protections when it comes to E. coli-ridden vegetables,
lead-tainted toys, and other defective products. Why not from insecure and
vulnerability-flawed software that threatens their personal data? 

That's one argument posed by David Rice, director of the Monterey Group
<http://www.montereygrp.com> and a SANS course instructor who has just
published a new book called "Geekconomics: The Real Cost of Insecure
Software" <http://www.geekonomicsbook.com>. 

In the book, Rice, who has worked on national security issues for the
National Security Agency and the military, poses a bold solution to cleaning
up what he calls the "pollution" of insecure software: instituting a
"vulnerability tax" on vendors. 

"I know [tax] is a four-letter word in this country," Rice said an in
interview with Dark Reading today. "I expect a lot of heated debate." 

He estimates that the actual cost of insecure software to the U.S. is at
least $180 billion per year, although he acknowledges that such numbers are
"soft." He based his estimates on other numbers -- including a recent
General Accounting Office report that says the U.S. cybercrime market is
around $117 billion -- as well as other reports, such as estimates of
worldwide phishing operations of $350 billion per year. 

But it's Rice's controversial proposal for making the software industry more
accountable for flawed software that is likely to raise some eyebrows. It's
a taxation model akin to what automakers pay, and which buyers ultimately
absorb when purchasing carbon-emitting vehicles. 

According to Rice, software bugs have led to everything from physical danger
(software defects led to a 1996 Boeing 757 crash) to infrastructure
disruption (the 2003 power blackout caused by a software problem) to a
burgeoning cybercrime market. 

Rice acknowledges that taxing software vendors would cause an unpopular side
effect: Consumers would ultimately pay more for software. But the software
theoretically would be less buggy. "Right now, people don't feel the social
cost of insecure software," he says. "That's what this model tries to do." 

Just as a traditional manufacturer would pay less tax by becoming "greener,"
the software manufacturer would pay less tax for producing "cleaner" code,
he says. "Those software manufacturers would pay less tax pass on less
expense to the consumer, just as a regular manufacturing company would pass
on less carbon tax to their customers," he says. 

It's not clear how the software quality would be measured, he says, but the
idea would be for a software maker to get tax breaks for writing code with
fewer security vulnerabilities. 

And the consumer ideally would pay less for more secure software because tax
penalties wouldn't get passed on, he says. 

Rice says this taxation model is just one of many possible solutions, and
would likely work in concert with torte law or tighter governmental
regulations. This accountability approach would likely vary from country to
country, he says, but it's a global issue. "This is a global concern. I'm
not sure we're going to see a Kyoto protocol here, but there would have to
be some type of concerted international effort" to handle insecure software,
he says. 

There's no way to write flawless software, Rice says, but vendors need to
step up and better protect the consumer. "We're not asking for perfection in
products, but for some level of accountability," he says. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-brazilian/attachments/20080422/6cf5fe07/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 66 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-brazilian/attachments/20080422/6cf5fe07/attachment.gif 

More information about the Owasp-brazilian mailing list