Conclusion 12/10/04

The ultimate solution to making software more secure is not solely a technical one: new technologies, such as tools, and more skilled engineers are important, but insufficient by themselves. Even with great brain-power and expense focused on security, software is unlikely to be completely defect free. Other solutions, be they legal, economic or policy, are needed to push organizations and society toward devoting more resources to improving the security of our networked systems as a whole.

Policy-makers can use their law-making power and their power over purse-strings to encourage organizations to devote more resources to improving software security. They can threaten software vendors with a stick by enacting software vendor liability laws, but adding risk to the development of a cutting-edge technology can stifle innovation. They can encourage the market to push vendors toward making more secure software by, say, having the government refuse to purchase any software that has not been certified by an independent lab. Or they might extend carrots to help organizations improve the technology and technical skills behind their software: grants to universities for research into better tools and languages, or to start software engineering programs. Until consumers and producers deem security to be a feature, however, it will be no more than an extra expense in the development cycle.

There is no one easy answer to software security. Our paper has described several possible approaches for improving it and each has problems. Software is inherently error prone and costly to secure. Vendor liability might stifle innovation. Licensing too. And since we do not currently have the ability to create an independent lab that gave can meaningful ratings, it might be best not to try. We hope after reading this paper that policy-makers are now a bit better equipped to avoid poor decisions on this issue.