While having my coffee this morning I came across this short posting on the Sophos blog titled “License to code”. After i had some good conversations at the last ISSA UK chapter meeting about code quality from a security durability point of view and what implications this (should) have on liability of the software vendor i hoped that Sophos would provide some further insight along those lines. I was somewhat disappointed to see that the conversation quickly drifted off to start yet another discussion on the usefulness of signed applications. The analogy about licensed surgeons stated in the article makes sense (it should as it is taken out of David Rice’s excellent book Geekonomics) but quickly looses its relevance taken out of context as the point made is not towards signed code (which would relate to the surgeons scalpel) but the surgeon itself being licensed/certified to a certain skill or quality standard.
So the question to me is less one whether it makes sense to sign code since signatures can be forged and loose some of their overall trustworthiness; this is an arduous question to ask and leads to counterproductive discussions if we should do any signing at all since there are situations where it will not be 100% trustworthy. Yes it will be abused, exploited and overcome by malware distributors, but it raises the bar ever so much and sets the scene (or infrastructure if you will) from where the trusted software culture can evolve further.
The question to me (as a consumer of applications) is rather if we can now start to not just certify the origin of the application but also certify the reliability and quality of the coder/distributor with similar consequences in regards to liability as the before mentioned surgeon ‘enjoys’. I certainly do not want to advocate dropping the liability hammer on software vendors but i think it is time to re-evaluate the fairness of cost distribution in the information security space. It amazes me to see how Information Security and Information Technology departments struggle to get funding to mitigate problems introduced by software vendors who enjoy the benefits of the purchase price but take no responsibility for the follow up costs incurred by insecure code. Here’s a thought, would it be wrong to demand that software vendors producing insecure software sponsor mitigation vendors (like WAF, AV, etc) since they are one of the main causes for this industry to be around in the first place?