February 04, 2011, 1:11 PM — With reports swirling that Apple has hired security author David Rice as director of global security, the ideas Rice has put forth in the past to help improve software quality have moved back into public debate.
Rice's book, "Geekonomics," attempts to tackle the nebulous and contentious topic of software quality and the cost insecure code levies on us all. In his career, Rice has also works as a global network vulnerability analyst for the NSA as well as a cryptologic officer in the United States Navy.
In this recent OWASP (Open Web Application Security Project) talk, Rice likens the battle for the hearts and minds of the public to demand secure code to that of the battle against pollution as a side-effect of industrialization. Once upon a time, pollution was accepted as a given as part of an industrialized society. Eventually, some started to demand pollution be brought under control, and eventually forward-thinking companies saw being environmentally friendly as smart business.
Rice hopes to see the same evolution in thought when it comes to software security: that eventually, software vendors would recognize that developing secure, sustainable software is smart business. However, Rice acknowledges, that's not likely until the marketplace has better information about the quality of the software it consumes. That is: consumers (whether they be individuals or businesses) need to be able to evaluate the inherent security of an application.
For instance, the notion of some type of 5-Star Safety Rating for software could help software buyers understand the security of an application through some type of third-party evaluation and testing. "The idea is to give consumers the information they need to make better decisions. This would improve the efficiency of the market for software," says Josh Corman, research director at the 451 Group's enterprise security practice. "People today, generally, have no idea how to judge the quality of software as it relates to security. Such information would provide the clarity a market needs to function," he says.