There are certain aspects of software such as security and overall quality that exhibit a very non-linear value curve. Vendors get punished for low quality/security but rarely get rewarded for doing a good job at both. With such a kinked evaluation function, it’s no surprise that most vendors are not spending enough time and resources to get security and quality right.
This has been the status quo for decades. It’s about to change in the next few years quite significantly. And, strangely enough, the largest ISVs, rather than being obstacles, will play a key, proactive role in making the change happen because they’ll seek a competitive advantage in doing so.
Let’s take Microsoft as an example. For years, one of the way the giant has competed is by raising the bar on features. Raising the bar raises the cost of doing business for everyone else. It’s a time and money calculation. It’s the software industry’s version of the Cold War armaments race. MS, being the largest SW vendor, has the ability to both fund and cross-subsidize the buildout. Most others can’t follow. And now MS has figured out that security and quality can be positioned as a competitive advantage. It certainly took them a while and they surely have a huge legacy problem to deal with but the resources they are deploying are mind-boggling. An MS exec I talked to about this in 2005 estimated the annual spend (encompassing developer education, added steps in the SDLC, etc.) to be over $1B per year. At those rates of investment, eventually they’ll meaningfully start impacting the problem, especially since MS has finally changed it’s stance on the willingness to inconvenience end-users (see Schneier’s post on why it may not be a great start but it’s a start nonetheless).
The same applies, to varying degrees, to all other large vendors who have the resources to implement significant changes in the way they build software. None of them want the negative publicity associated with known and, worse, exploited, vulnerabilities. Sometimes, guilt comes by association. For example, see the risks associated with hosting PDFs. Adobe is one of the companies that is most at risk and, hence, most likely to lead the change together with MS. (In fact, given MS’s legacy, Adobe may see a competitive advantage is pushing a stronger security/quality message.) The Flash player is the single most distributed human-made piece of software in the Universe (more fun to say it that way). The PDF reader is up there also. RedHat is another obvious choice and has been exploiting MS’s security weakness for quite some time.
The large buyers of software will have a role to play in this also, but it’ll be a secondary one. They’ve never been happy about the limited liability associated with SW. “Buy the SW, pay maintenance, spend resources deploying and managing it, deploy countless patches and get stuck will all the risk caused by poor quality and security vulnerabilities.” Doesn’t sound like a great pitch, does it? Given the inherent complexity of software, we’re a very long time away from software vendors assuming liability. (When building software becomes as predictable as building bridges, it’ll come.) Whenever big software buyers such as GE rumble about liability, it’s a codeword for extorting some concessions, e.g., free services, from a vendor. In the meantime, it’s business as usual.
What can change the dynamic on the buyer side is a consistent framework of measuring the risk inherent in a piece of software given the environment it’ll be put to use in. Once that becomes available, buyers will have a way to more meaningfully take security and quality into account during the procurement process. Right now it’s more of a binary decision–either the software is deemed fit for use or not. That’s a gross oversimplification which furthers the vendor bias towards just clearing the bar but going no further. When the evaluation metric switches from a binary to a continuous scale, the last obstacle to security and quality being taken seriously by software vendors will be removed. Software cost may go up but TCO should go down and everyone will be better off.