Could a vulnerability tax work?

News 27 Jan, 2011

The new Apple security chief believes a vulnerability tax could really help make software safer. Could it work?

ANALYSIS: Apple’s new security chief, David Rice, has some interesting views on how to improve software security – in particular a vulnerability tax concept.

The soon-to-be global security head believes such a tax could be handled in the same way as pollution, making companies pay for the amount of environmental damage they caused.

“We run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating,” Rice told Forbes this week.

“If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behaviour.”

He cited Gartner figures which estimated it cost around $1 million a year on average for a company with between 2,500 and 3,000 machines to patch its software.

“Let's deal with software, because it's the most significant issue and the most fixable. Insecure software is sending a clear message of disorder into cyberspace, and we need to deal with it at its root,” Rice said.

But could such a concept work? And what kind of impact could a tax make on the security landscape?

Not going to work?

Rice did not go into too much detail about how such a tax would work. Would vendors be fined or would they have to pay out a regular amount depending on how secure their products were?

David Jacoby, senior security researcher for the Kaspersky Lab global research and analysis team, had reservations about the idea.

There would be simply too many “ifs” to deal with, according to Jacoby.

“I personally think that this idea is not going to solve anything because not all vulnerabilities are programmatic vulnerabilities,” he told IT PRO.

“Some vulnerabilities exist because of the local configuration of the server the application is running on. There are also logical flaws that may exist in certain cases, and the severity of the vulnerability cannot really be specified by an external partner, since they have no idea what information the server handles, and how that vulnerability affects the client.”

Jacoby said vendors do need to be responsible for their software and have better routines for testing software.

“But one thing that we have to think about as well is that the hackers that we are fighting are also (in some cases) the people who find… exploitation techniques,” he added.

“What will happen if someone comes up with a new exploitation technique that affects all software written in a certain language?”

Kurt Baumgartner, senior malware researcher at the Kaspersky Lab global research and analysis team, said the tax concept did not seem to take into account many bugs, if not the majority of them, are not exploitable.

“While a creative solution seems to be needed here, I can’t see a tax as a reasonable approach,” Baumgartner told IT PRO.

“Heck, the vendors cannot even standardise a system of quantifying the severity of their own vulnerabilities and patches.”

He added that different proposals could probably “be more reasonable and more suited to the problem.”