Enterprise Software



Software Liability Debate Report

Group B

DeLynn Bettencourt

Kevin Cheng

Yuval Elshtein

Fong Hui

Qintao Zhang

Introduction

Everyday, thousands of computers around the world are illegally breached because of software security flaws. Naturally, itIt is obvious that this situation will have negative repercussions if security flaws in software are not found and fixed. For example, there are virus creators who exploit these security flaws with their "internet worm(s),"s,[1] resulting in fraud, the release of confidential information, and the loss of business due to downtime. The consequences of such exploits are damages to businesses, organizations, and the general public. The National Institute of Standards and Technology issued a study in July 2002 that claimed software quality cost the industry nearly $60 billion a year while customers bear about two-thirds of that cost..

The question of who is responsible has transcended itselflead to raging debates between parties with contradicting opposing interests. This report will provide an overview of the software securitythis debate we mentioned, and we now present i. Issues and statistics from both sides of the debate are presented. Please note that there exist Since many of there are end end-users who require customized IT software solutions (i.e. Mission mission Ccritical, and Eenterprise solutions and Home) which are agreed upon via a complex contracts, but are content specific, they are categorized as outside of the context of our arguments. Rather, our we have chosen to focus our argument will focus more on the software product providers, whose ’ relation to withto the market which is morecloser to that of a product includes the supplier and buyervthan that of s a solution provider..

PROPro-Liability: Vendors should be liable for software security issues

The majority of security holes are due to poor programming and a lack of quality control. Software manufacturers usually place far more emphasis on getting a new system out of the door with profitable features than on ensuring that the system is with good security qualitysufficiently secure before it isit’s released. The enterprise software users, on the other hand, Because of this, the enterprise software users have to spend use extra effort resources to identify and track bugs security flaws during the deployment process.[2] There are no other consumer products for which customers have to do so much to ensure product safety. If software manufacturers do not suffer any negative consequences for putting out bad software that carry enough weight for putting out bad software, then they will only respond to the benefits of getting software out faster, and ; they will continue to keep on produceing insecure software.

The computer industry has not succeeded no real economic incentiveinterest in to improveimproving software safety due in those areas thatwhere their to customers’ lack of choice; in other words, there is no incentive to fix security flaws when customers suffer from lock-in[3]. Oracle, for instance, controls the market for enterprise database software. Its users, with a huge amount of data on the system, are so reliant on the product that they have no way to threaten Oracle with shifting to another provider. There is not much pressure on these software vendors to make the product more secure[4].

Software security issues are often exacerbated by a lack of transparency of the system to the customer—not enough information about the system is disclosed to the customer, so the customer is not informed enough to know how to handle some security issues. Additionally, and customers often have no real way ofto evaluatinge the software before signing the contract with the vendors. To make matters even worse, Oracle, Microsoft, and other software manufactures include provisions in their licenses that forbid criticism of their software without permission.[5] These End User License Agreements (EULA)[6], commonly called “shrink wrap” or “click wrap” contracts, eliminate consumers’ ability to seek compensation if the software does not perform as expected. Some firms even threaten researchers who publish security holes with civil and criminal litigation under copyright law. These privileges enable the software vendors to hide the known software flaws and escape from the liability for software security issues.

NormallyIn most markets, manufacturers are held liable for products that are predictable predictably dangerous. When manufacturers in industrial markets are Being held responsible for the failure of t when their products, fail has urged manufacturers in industries to improve their safety records often improve. For instanceexample, imposing liability and creating manufacturing standards for cars has greatly improved cars’ safety. If software vendors are held liable for security holes, then a similar improvement (in the form of adequately testing for security holes or flaws) can be expected.Software vendors should also be held responsible if they ship programs without adequately testing for security holes.[7]

If software manufacturers are forced by the shadow cost of security to improve the security of their products, then at the very least manufacturers will reap the benefits of doing things right the first time by avoiding the Meanwhile, manufacturers producing insecure software also face the large amount of expense to patch, bad reputation, and potential loss of sales of their software. By improving the quality of the software, manufacturers can avoid these risks. The software vendors, such as Microsoft, Oracle, have made tremendous profit by providing enterprise software. They should have ability to afford the better testing to ensure the security quality of the product.

Issues supporting ProSummary of supporting points (Pro-liability):

• There’s an economic incentive for companies to get focus on getting software out faster and not onneglect the quality of the software. If software manufacturers do not suffer any negative consequences for putting out bad software, then they will only respond to the benefits of getting software out faster, and; they will continue to produce keep on producing bad software. Therefore, holding vendors financially viable will motivate them to fix the software before distribution.

• Market forces is are not adequate in motivating companies to invest in regulating software security so the government needs to step in to regulate; holding vendors financially liable is the only way to economically motivate them to fix security flaws in software before distribution..

• The government should be involved because if a software resides on affects entities that are in the public domain (for example the Internet. ) - Aany potential threat in to the a public domain infrastructure is of interest to the government to regulate.

• The expectation that end users are responsible for security issues within software codes is faulty. Users can be expected to have basic knowledge of security breach prevention (such as firewalls, anti-virus applications, etc.) and to patch their systems at best, but they should not be expected to be able to self-detect and fix any flaws in the software code itself. The Aanalogy is that a car owner is expected to service and maintain his/her vehicle but isare not expected to be able to fix a car when there is a mechanical failure. Responsibility to fix securitysuch a flaws should rest on the IT professionals or the software providers.

• The lack of transparency of software to the user often makes it difficult for the user to handle in software security issues without the help of the software provider.

• EULA, commonly known as “shrink wrap” or “click wrap” contracts eliminate consumers’ ability to seek compensation if the software does not perform as expected. These privileges enable the software vendors to hide the known software flaws and escape from the liability for software security issues. If these EULA hold up in court, then software vendors will not be held responsible if they ship programs without adequately testing for security holes.[8]

• If users are allowed to sue the software manufacturers for damages caused by security vulnerabilities, then the shadow cost of producing insecure software will rise drastically for software manufactures, making devoting extra resources to ensuring software security economically viable. Costs of producing more secure software will be passed on to users, but the increased cost of software should be offset by the fact that the software will cause fewer problems—problems that are costly for the end-user to solve/remedy.

CONCon: Vendors should not be responsible for software security issues

Currently, most enterprise software vendors respond to customer complaints and fix bugs either in patch or maintenance release version. Although no court of law officially has regulated software vendors legally liable for software security flaws, enterprise software customers have received large financial settlements from software companies.

There is a question of whether holding One question is whether this enforcement, if software companies are liable for product quality (in terms of security), can be realistically be helpful in eliminating security flaws. Not only may v endor

Not only liability might not be the appropriate tool for reducing the number and severity of software security holes, but also holding vendors liable mayit might cause negative side effects on software industry, such as the elimination of small-to-medium scale software vendors due to the heightened shadow cost that vendor liability imposes..

Software is different from other consumer products, such as a car. Therefore, liability models cannot be compared. The biggest difference is that people don't purposely abuse cars seeking defects like they do with software. There are simply no real “hackers” for cars, while there are large groups of people finding security flaws in widely used products such as Microsoft Windows.

. In order for software to be compromised, a third-party attacker is necessary, and he is “aided and abetted” by bug/security flaw finders. How can software providers be wholly responsible when they are not the ones with the malicious intent to exploit users’ machines?

Moreover, there are no software vendors intentionally creating defects. However, it is unlikely to, and at the same time, it is impossible to create absolutely perfect software. Then who should be blamed for the software insecurity issues and what can we do to ensure a safer I internet? Moreover,

Finally, a liability case could take years to move through the courts, while the software has a relatively short life cycle and it could even become obsolete before the case comesame to trial. Thus, even if software liability is confirmed, the other than the potential for financial damages to be awarded to the plaintiff, outcome could be basically mootirrelevant. Also, this would burden the already backed-up legal system with more cases.

Summary of opposing (con) points (Anti-liability):

Issues supporting Con:

• Software is a uniquely complex product that will always have some defects. It is impossible to make error-free software.

• It is, however, possible that software developers don’t have all the skills they need to develop secure code and that they need to be trained better. According to the research published in Technology Strategy and Management magazine, the median level of 0.15 defects per thousand lines of code as reported by customers in a year after release during 2002-2003 compared with 0.6 defects reported in 1990. This shows that software vendors have made remarkable progress even it’s still far from perfect.

• The Internet is an open system. Enterprise software is designed for large data sharing and data transactions and it has to be executed in an open Internet system to efficiently fulfill the enterprise software functionalities. Therefore, because we have an open system, we musthave to deal with the inconveniences of hacker activities.

• Software manufacturers cannot predict how software will be used or where and how it will be installed. This lack of information makes it impossible for manufacturers to guarantee software for fitness of use. Users can adapt enterprise software through configuration. They Users demand this flexibility, but this characteristic of enterprise software makes the testing process more complicated, thus making this softwareit secure becomes more difficult.

• Many small-to-medium software manufacturers would leave the business if faced with liability suits, leaving a few remaining large manufacturers to serve a large and growing marketplace. In other words, oOnly the largest software manufacturers will be able to afford the risk imposed by the added liability, thus eliminating the competition.

• Under threat of litigation, software vendors might feel too risky to release a new product or write new functions, and so that the customers will might not be able to enjoy the benefits of thesethe new software products and features. features in time and the released version might potentially have few features

• Innovation will slow or will be destroyed completely, because it won’t be worth taking the risk to develop new functions or applications.

• An alternative to litigation is to Rrequire software companies to provide a "software safety data sheet" that includes detailed information about how their software operates, with the same points information that host intrusion-prevention solutions (HIPS) currently discover in the aftermarket. T In this way, the consumers will have more knowledge about the quality of the products and be able to prevent hackers’ attacks properly.

• It Litigation will make people reluctant to integrate their software with anyone else’s since they are not sure how the software will be used and whether the software security will cause any troubles to the manufacturers be compromised after the integration.

• Meanwhile, Lock-in will become more prevalent because open file formats or plug-ins or other interoperable functions will mean that control is lost over some inputs or program operations, and software manufacturers won’t want to risk that.

• However, exposureExposure to more lawsuits does not fully guaranteemean that software vendors will properly address security testing.

• The increased use of more popular software will allow for more security issues to be reported, so the liability costs born will be disproportionate to that of less used software; the rate at which flaws are found is a function of how many people are using it.

• The unleashing of a virus, that turns the software holes into security damage for computer users is a criminal act. No matter how careful software vendors might be, hackers are always tryingwill most likely be able to find ways to break the systems. There is no such thing as an absolutely secure piece of software. Holding liability on software vendors wholly responsible would misplace place the blame onto a third party, onto the producers instead of ononto the real criminals. Enforcing criminal penalties will significantly reduce the number of Internet security issues.

• So far, only commercially produced software has been addressed. Open source software has the advantage that freely available source code encourages peer review, which in turn, makes software less buggy because there are more pairs of eyes finding bugs. Since open source software is free and the code is provided, consumers should be able to test the software quality and modify it as needed. There is no reason to put place the liability on those open source providers who do not receive income from their software.to the providers.

Interesting Facts

The current statistics on buggy flawed software[9]

• The Sustainable Computing Consortium reported, that there can be as many as 20 to 30 bugs per 1,000 lines of software code in most software applications

• The Cutter Consortium claimed that of the software firms it polled, 32 percent admitted releasing software with too many defects, 38 percent said their software lacked an adequate quality assurance program, and 27 percent said they do not conduct formal quality reviews

• In his book titled Software Quality: Analysis and Guidelines for Success, author T. Capers Jones reported that:

o No method of removing software defects or errors is 100 percent effective

o Formal design and code inspections average about 65 percent in defect-removal efficiency

o Most forms of testing are less than 30 percent efficient

• Few companies have a system of peer reviewing of code in place, yet the Institute of Electrical and Electronics Engineers (IEEE) concluded that peer reviews of software will catch 60 percent of all coding defects

Conclusion

We understand that the issues with the problems lies with flawed software are grave and that it’s necessary we need to reassess our methods of addressing software security. However, we also feel that can also understand that there is no clear-cut way of defining security in software. The reason being is that even a system with noif a system meets the customer’s specification, security flaws is still not secure if it "doesn't adequately control access, protect integrity, provide availability, and otherwise meet security policy goals. " Software is by nature a very complex entity that caterstailors to a wide spectrum of users, and it. It is practically impossible to write a flawless software code.

The general attitude thatperception that software providers have towards security is that they will will provide users them with patches to fix their security flaws is not might not in fact be adequate. Rather, What is adequate measures includeis having good policies, the appropriate tools, and trained administrators that can create a dependable and secure computing environment. Providing security is a service that involves many parties. It is not just the software manufacturers but also the end users including the enterprise software users, mission critical software users and home software users.

In general, the main players in security are humans and by nature humans have flaws. As a result of the role human nature plays in this whole ordeal, software security has become a very vague, not to mention controversial, topic around the world. Hence, regulating the vague notion of software security by holding only one party, the software manufacturers, liable is a flawed proposition. Group B hopes to argue the “con” side: that software providers should not be legally liable for security flaws and vulnerabilities.

-----------------------

[1] For a good definition, see:

[2] Source: “Manufacturers should be liable when computer bugs leave consumers in the lurch”

[3] Source: “Manufacturers should be liable when computer bugs leave consumers in the lurch”

[4] Source: “Manufacturers should be liable when computer bugs leave consumers in the lurch”

[5] Source: “Manufacturers should be liable when computer bugs leave consumers in the lurch”

[6] End-User License Agreements

[7] Source: “Manufacturers should be liable when computer bugs leave consumers in the lurch”

[8] Source: “Manufacturers should be liable when computer bugs leave consumers in the lurch”

[9] Source: “Can Software Kill You?”

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download