Could a vulnerability tax spur vendors to improve security?

He has recently been appointed as Apple’s global director of security and he is expected to begin his work in March, but former National Security Agency cryptographer and SANS instructor David Rice is already positioning himself on the frontline of the security debate by proposing a vulnerability tax as way to push software manufacturers to get (even) more serious about security.

Comparing it to a pollution tax, he wants the companies to pay for the damage they make with insecure software. He believes that such a tax could directly affect the users’ choices. “When insecure software starts costing more, people will adjust their behavior,” he said to Forbes.

He thinks that the tax would create a very strong incentive for companies to clean up their act and test their software more thoroughly.

“Software vulnerabilities, like pollution, are inevitable – producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it’s willing to pay for vulnerability in software.”

He believes this solution would hit the problem at its root, but other security experts are not convinced – even as they agree with Rice on the need for software vendors to concentrate more on security.

Kurt Baumgartner, senior malware researcher at the Kaspersky Lab, thinks that the concept is flawed since it doesn’t take in consideration the fact that not all vulnerabilities are exploitable.

He also doesn’t see how the tax system could be instituted when the vendors themselves can’t find a way to quantifying the severity of their own vulnerabilities in order to agree on a standard.

Sophos security expert James Lyne doesn’t reject the idea, but is concerned about the impact it would have on product development and innovation in general.

“Such an initiative had to be managed carefully however, many brilliant technology platforms generating business value start of life as underdeveloped, under resourced applications,” he said to IT Pro.

Senior security researcher at the Kaspersky Lab David Jacoby is rather skeptic regarding the possibility of implementation of such a tax. He emphasized that not all vulnerabilities are the result of programming.

“Some vulnerabilities exist because of the local configuration of the server the application is running on,” he pointed out. Also, it would be difficult for somebody on the outside to evaluate how much the flaw really affects the client when they don’t have access to the information the server handles.

He also raised the question of what would happen if someone comes up with a new exploitation technique that affects all software written in a certain language. Technically, this is not the vendor’s fault. In short, he thinks that there are too many variables that would have to be taken in consideration in order for such a tax system to succeed.