I recently read an article quoting some “cyber security experts” discussing off-shoring and cyber security. Part of the article says that the government should not regulate software security because this will increase the cost of software and push more development over seas. There is some logic to this argument, but it’s the same excuses I hear from software developers who don’t want to fix their code. The argument being made is “I can give you crappy software at a price that is competative with off shored labor, or we can give you good code for a price that’s so large it will make you be okay with off shoring”.
I’m not a fan of government regulation, but something has to give. For decades the general public has been acting as beta testers while software vendors work the kinks out of their software. The obvious downside is weekly security updates from Microsoft, malware that can take over a computer in a single click, and the building of zombie computer armies. While we are seeing some companies get better about writie secure code, it’s not industry wide. Security remains as a obstacle to getting to market quickly and an afterthought once in the market. This mentality will continue until something changes.
The Payment Card Industry Data Security Standard (PCI DSS) is a great example of self regulation. PCI DSS is not perfect by any means, ask Heartland Payment System, but it forced some companies to make security a priority. Even if the priority is just to pass an audit, this is still possitive yardage for their customers. The private and public sectors need something like PCI DSS.
The answer could be self regulation. A consortium of software vendors agreeing to a security standard and then being able to put the groups logo on their software. Will this happen? Probably not. Humans usually don’t change until there is a large enough event to make the change happen. I would rather not wait around for that event, so government regulation (or the threat of government regulation) is the next best thing.
A part of whatever regulation that comes about should include stipulations for supply chain risk management. Code coming from off shored development shops is sub par functionally speaking and even worse for security. If we are going to make software secure, it has to start at the requirements and be a part of design, coding, testing, and production. Who writes the code or where it is written should not matter. Developing software without security is writing crappy code plain and simple.
If this makes the cost of software rise, so be it. I would much rather pay more for software and not have to worry about clicking a link that will take over my computer, steal my bank password, and then make me spend hours on the phone trying to get my money back.