Who really should be responsible?

Bruce Schneier and many others are advocating making software vendors liable for buggy code if it can be proven to be the cause of a security breach. The argument is that when it hits them in the pocket book they will start being proactive about security and not reactive. This was espoused by Bruce at Hack in the box this week. Here is a ComputerWorld article that gives the condensed version. He states that we are losing the security war and that technology alone can't win it.

As would be expected I agree with his basic assessment. We are losing and no matter how much technology we throw at the problem we don't seem to be getting ahead. Not to mention that there is the human aspect to the problem. Management that doesn't really see the need to spend more on security, users who don't use basic common sense, mobile/remote users, poorly configured equipment (whether out of the box or by the sys admin). I'll stop here but we all know that I could go on and on. It's going to take more than education and technology to win this war. Bruce says that it will take economic incentives. I think that holding vendors responsible is a great idea, but I see flaws in it also. The legal system is one big flaw that stands out. If we are going to hold vendors responsible economically then we will have to prove beyond a shadow of a doubt that their poor coding and that alone was the reason for the breach. IT departments will have to prove that everything else was configured perfectly or the vendor will use that as part of their defense. "If exhibit A was improperly configured then how do we know that the breach wasn't made because of this."

It going to take holding both vendors and companies responsible and being aggressive in pursuing and prosecuting the bad guys. If this happens then the vendor will be forced to code safely and the companies would be forced to provide training, funding and the best possible IT staff. It would even weed out a lot of low hanging fruit on the IT tree.