How the security industry going to change once the vendors are held liable for buggy software

Today came across an article which demands vendors should be made liable for buggy software. The group led by SANS group came with top 25 coding exploits and claims most of them are known coding errors.

How the security industry going to change once the vendors are made liable for buggy software?

Well, as of now there is no monetary penalty imposed on the software vendors for buggy software, the only penalty is bad PR. As this does not affect the balance sheet of the company, most of the heads pay little attention towards secure software.

Once the vendors are made liable for buggy software, its going to incur unknown variable cost - the company has to pay for the buggy code shipped. Financial heads would like to have a known *fixed* cost rather than an unknown *variable* cost. They can convert the variable cost to fixed cost by opting for an insurance policy, thus shifting the liability to an insurance company. Well, this solves the problem of variable cost to the vendor. How this going to help the software security industry?

Once the insurance companies enter into software security industry, they are going to define standards. The way the insurance companies has defined standards in locks, anti-burglar alarm industry and charge shop owners based on the anti-theft mechanisms followed. Only reason why a shop owner installs a burglar alarm or a strong steel vault etc., is - its going to reduce the insurance premium he has to pay to insure the shop.

Similarly, the insurance companies are going to define standards in software security industry. They will charge less for those companies which follow higher level of secure coding standards compared to a company that follows lower level of secure coding standards. What this means is: now, in-order to reduce the insurance premium, the heads of vendor companies are going to care more about secure coding practices and encourage their teams to follow secure coding practices. Instead of churning out software with lots of features, the programmers will spend more time towards delivering a secure software.

Lets hope some day the vendors will be made liable for the buggy software.