Vendors should not be liable for their security flaws

Few tech vendors or content producers do everything they can to eliminate security flaws, but changing the rules isn't the answer

I was talking to a coworker about how so many businesses -- as exemplified by big banks and other financial firms -- seem to commit fraud and other criminal activity with impunity. A few end up paying hundreds of millions to billions of dollars in fines, but almost no one ever goes to jail.

My friend thinks the problem stems from the limited legal liability given to corporations, their officers, and stockholders. He believes the solution lies with changing stockholder responsibility.

[ Also on InfoWorld: Paul Venezia makes a case for why those guilty of bad code must pay. | Learn how to work smarter, not harder with InfoWorld's roundup of all the tips and trends programmers need to know in the Developers' Survival Guide. Download the PDF today! | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

When a company incorporates, stockholders' potential damages are limited to the value of their stock. Once the stock has gone to $0, all potential liability is over. My friend thought that the limited liability protection ought to be removed so that injured parties could sue stockholders for far more than just the value of the stock. He felt that stockholders, under threat of losing personal assets beyond their stock investment, would be incentivized to only invest in "safe" companies, and businesses would strive to be more honest and more secure overall.

It sounds like an intriguing idea, except for one obvious result: Who would invest in unlimited liability corporations? You'd end up with fewer corporations, fewer jobs, and less innovation.

Obviously, the system we have now needs correction, but you don't need to do away with the idea of traditional corporations altogether. In fact, I would argue, that -- warts and all -- we have about the level of risk we as a society have agreed to tolerate in return for greater reward. You just need a moderate course correction from time to time.

I've come to the same conclusion regarding software liability. For decades, tough security acolytes have argued that software vendors should be held liable for their software vulnerabilities. They want to change commercial laws, like my friend suggests above, to make the risk a company takes higher. Then and only then, according to these believers, will software companies make significantly more secure software.

I call bunk on that idea.

For one thing, there's no such thing as perfect software. All software has bugs and all software has security flaws. Even one of the strongest proponents of software vulnerability liability, Dr. Daniel J. Bernstein, who makes some of the most secure software in the world, has seen hackers uncover security bugs in his software. Few people in the world have the security skills that DBJ has. But he is imperfect. He's human.

1 2 Page 1
From CIO: 8 Free Online Courses to Grow Your Tech Skills