Geekonomics: The Real Cost of Insecure Software

This book offers one of the most comprehensive and rational arguments for fundamental changes to the way software is developed and made commercially available. In addition, the author provides several alternatives for these fundamental changes the business of providing software along with a recommended approach that is practical and thoughtful.

First the good news -- in a fascinating and timely new book Geekonomics: The Real Cost of Insecure Software, David Rice clearly and systematically shows how insecure software is a problem of epic proportions, both from an economic and safety perspective. Currently, software buyers have very little protection against insecure software and often the only recourse they have is the replacement cost of the media. For too long, software manufactures have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Geekonomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome warned us against driving unsafe automobiles; Geekonomics does the same for insecure software. Now the bad news -- we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spears' antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream. Geekonomics is about the lack of consumer protection in the software market and how this impacts economic and national security. Author Dave Rice considers software consumers to be akin to the proverbial crash test dummy. This combined with how little recourse consumers have for software related errors, and lack of significant financial and legal liability for the vendors, creates a scenario where computer security is failing. Most books about software security tend to be about actual coding practices. Geekonomics focuses not on the code, but rather how insecurely written software is an infrastructure problem and an economic issue. Geekonomics has 3 main themes. First -- software is becoming the foundation of modern civilization. Second -- software is not sufficiently engineered to fulfill the role of foundation. And third -- economic, legal and regulatory incentives are needed to change the state of insecure software. The book notes that bad software costs the US roughly $180 billion in 2007 alone (Pete Lindstrom's take on that dollar figure). Not only that, the $180 billion might be on the low-end, and the state of software security is getting worse, not better, according the Software Engineering Institute. Additional research shows that 90% of security threats exploit known flaws in software, yet the software manufacturers remain immune to almost all of the consequences in their poorly written software. Society tolerates 90% failure rates in software due to their unawareness of the problem. Also, huge amount of software problems entice attackers who attempt to take advantage of those vulnerabilities. The books 7 chapters are systematically written and provide a compelling case for the need for security software. The book te

Anyone that knows me at all can tell you that I am not a fan of Fear, Uncertainty, and Doubt (FUD) in making the case for effectively managing risk. As a professional in the information security business, it is all too easy to use FUD as the "easy way out" when trying to convince people of the severity of vulnerabilities and so on. I am pleased to say that David does not employ this tactic in his book. He makes a very reasoned case, building it with example after example of how poorly software is constructed and how deep the rabbit hole goes in software manufacturers' efforts at liability avoidance. So far, the reviewers of this book are all "security people". Please know that there are caveats to such reviews - namely, we are always looking for the "aha" publications that tell the rest of the world what we have known for a while now. This is one of those, and it may very well be the first I've really enjoyed while trying to put myself in the shoes of the "average computer user" in the world today. My usual way of doing this is by asking myself "Will my mom understand this?" I'm very pleased to report that my mom could in fact "get" the big picture David is painting here - namely, that software is something we are relying on as a critical part of society today, and it is just as fundamentally flawed as the early sewer systems he describes early in the book. What's great about this book, aside from the points already articulated by the other reviewers, is that it takes a problem we all know exists (most software is crappy) and forces you to look at it from a number of different angles. How many books do you read in a year that actually cause you to ask yourself questions? Probably very few, I'd guess. This is a book that challenges you to think about things differently; for instance, a Windows system crashing is not just a "Blue Screen of Death" on your home PC, it's now a critical system controlling a local power grid that just went down. It's not just a poorly-written piece of Web server software, it's a perfectly viable avenue of electronic data theft. And by the way, this little problem affects every one of us. Bravo, David, you've done a great job here. I tend to agree with Richard Bejtlich that a "vulnerability tax" is somewhat infeasible, but at least we're having some interesting conversations. Change usually stems from these, and change is exactly what's on the menu.

Depending on who you ask, mankind has survived on this planet for somewhere between 10,000 and 160,000 years. However, we are the first generation to be dependent on software. Geekonomics opens with a discussion of the importance of cement and how crucial it is to our civilization. From roads to sewers, cement is our infrastructure and I could not agree more. After the driest summer since they have been measuring such things, the rain has been falling and falling and falling and my farm is one big mudhole. Every unimproved road is dangerous and some of the asphalt is failing. So I am replacing and improving with cement. It is expensive, but cement roads will outlast me, my son and his sons. Software is as important to infrastructure as cement as a foundation of civilization asserts the author of Geekonomics, David Rice, but while considerable energy has been expended to normalize the manufacture and application of cement, much less work has been done with software. While the cement roads we are putting in will last a hundred or more years, the author points out that software is often essentially obsolete by the time the consumer takes possession of it. In fact, consumers value innovation so much, that it is prized above security even if a quick look at the news shows us the cumulative effect of software failure leading to data breach. At this exact moment, according to privacyrights.org, 216,770,536 consumer records have been lost. As Rice points out, in the 1970s the criminal underground realized there was more money to be made, at less risk of being caught, trafficking in drugs than other forms of crime, so it became a big thing. In the past few years, the criminal underground is starting to focus on software, specifically vulnerabilities in software that can lead to data breaches that allow identity theft and credit card fraud. As the book explains, crime begets crime, if you have a neighborhood with broken windows, this can lead to additional problems, criminals and other worthless fellows are comfortable hanging out and doing whatever they want to do. This too, I have seen in my own life, one of my employees has had to abandon her home for a few weeks. The condominium above her had a broken window that was used to enter that home and people took up residence in the empty foreclosed home. They invited their friends and now the entire complex is less desirable. Geekonomics lists the positive example of the New York Subway system's clean car program, that all cars had to be clean with no graffiti, if a car could not be cleaned it was taken out of service until it was clean. This has lead to a major improvement in the security and user experience of the subway system. However, as the author points out, you can see graffiti, you cannot necessarily see the flaws in software that attract the criminal elements. Another interesting comparison the book makes is the interstate highway system in the US. It was designed for safety from the beginning a

Every once in a while I encounter someone's work whose sanity of argument, integrity of passion, and elegance of expression convinces me in an instant that I have found a comrade. Recently reading the new book "Geekonomics" by David Rice was such an encounter. Rice is a prophet, and like most true prophets, what he is saying is something you won't like hearing. Geekonomics warns against the dangers of software. That's right--software--which we rely upon every day to a rapidly increasing degree. Rice is no crackpot or self-proclaimed guru looking to make a quick buck with this book. His warnings are akin to those of Alan Cooper in "The Inmates are Running the Asylum" and my own as well. While Cooper and I rail against software's inexcusable dysfunctionality, however, Rice points out very real dangers that threaten the world. Most software is bad, not just because it is much harder to use and far less effective than it ought to be; it is also insecure, which invites danger. The more we rely on software, the more vulnerable we are to the whims of those who would do harm. Geekonomics explains the fundamental reasons why software of all types usually fails to deliver what we need, especially security, and the threat that this failure invites. The dangers that Rice describes are on the scale of global warming. Did this statement get your attention? Good, because it's true, and the magnitude and imminence of this problem deserves your attention. Just like the threat of global warming, we dare not ignore the threat of insecure software, because software has become the infrastructure of the modern world. Geekonomics is not only an important book, it is also a good book. Rice is smart and thoughtful, and he knows how to write. If you rely on software (and who doesn't?), you should read this book. If you produce software, you should read this book. You might not like what you read, but you need to hear it, and we all need to do something about it.