Bruce Schneier’s latest opinion piece in ComputerWorld entitled Make Vendors Pay For Security Flaws is correct on premise but flawed on proposed solutions. We should make vendors pay for security flaws, but increased liability law is not the asnwer. IT managers need to learn to vote with their feet.
Mr. Schneier argues several good points. He first points out that it is mostly the consumer or the IT department that shoulders that burden of security, and the consequences of bad software security. He illustrates that software vendors have no financial incentive to make more secure products. But there are two points that I’m sure he is wrong about. I don’t believe that the end consumer should burden the cost, and I don’t believe that security liability laws are an effective solution.
[edit]Bruce has posted his article on his Schneier on Security blog, and was kind enough to link back to this rebuttal. Please click here for more discussion on the topic.[/edit]
(more…)
