Security States

Bad Code: Part III

By Jane Chong
Tuesday, October 22, 2013, 2:13 PM

What do software users have in common with Mary Mallon, better known today as Typhoid Mary? A lot---and that's why we shouldn't be leaving the quality of code in the hands of the market. Confused? Connect the rest of the dots over at Security States, where we've just published the latest installment in our series on what it would take to hold software makers liable for the insecurity of their products.

Part 1 offered an overview of the problems associated with insecure software; Part 2 argued that the technical challenges associated with minimizing software vulnerabilities weigh in favor of, not against, imposing liability on software makers. Here is an excerpt from Part 3:

Security experts have written tomes on why monthly patch rollouts and steadily proliferating antivirus options do not collectively constitute a viable security solution to the problem of insecure code. But more can be said about the nature of this inadequacy, which traces back to the inadequacy of users. Consumers of “Internet hygiene services” are ultimately as ill-equipped to bear the burden of shaping the market to minimize software security risks as Mallon’s employers were in controlling the spread of typhoid. The analogy applies on two levels, for as users we play the role of the victims—the New Yorkers who hired Typhoid Mary—but in important respects we also play the role of Mary herself.

Three features make Typhoid Mary a relevant analogy for the modern software user, and shed light on why relying on users to make responsible cyber hygiene decisions cannot make for a responsible national cybersecurity policy.