I’ve been thinking lately about how the web industry needs to change in order to improve. Cyber attacks appears to be on the rise and alot of the time they appear to be caused by someone doing something silly. Perhaps this is because everyone is a web developer, it certainly isn’t down to lack of available resources on the matter.
Thinking positively about cyber security, the card companies banded together to form PCI-DSS – Payment Card Industry Data Security Standard, with the goal to help businesses process card payments securely and reduce card fraud. Yes, it isn’t perfect, but it is a real benefit. Ideally this needs to be pushed beyond just card payments, it needs to be embedded (at least in the UK) with the Information Commissioner Office (ICO). It needs to be combined with software vendors like Microsoft, Canonical (Ubuntu), Redhat as well framework developers like Laravel, Revel, Ember.js and the end developers.
Security testing shouldn’t be a tick box at the end of the process. It should be embedded throughout the process and should be more like insurance with the more effort you put in, the less you pay.
Think about your house insurance. If you live in a dangerous area, the more you pay. If you use a “dangerous” software stack (like no framework), the more you pay. If you fit a security alarm, the less you pay. If you pen test your software, use 2FA, whatever, you pay less.
The way I would see it being pay for is at the point of sale to the end customer, the final cost would take into account the risk aspect in terms of the technologies used – are they mature, track record of vulnerabilities, etc. But also how long to fix – ie if (any) one of the upstream developers release a security fix, how long will it take before it is applied. Most companies don’t upgrade for fear of IT problems. Which ultimately results in more problems just later down the line. Forcing frequent updates reduces the risk. Testing is simpler as changes are smaller. Testing happens more frequently so staff are better trained.
This would ultimately give the end customers protection from cyber attack caused from a sloppy mistake, even by a third party. Which is what they are crying out off.
The insurance company would be required to have a solid security background in order to make this work – so much so that it might be easier for a large security company to become a insurance company. They would of course require some massive legal and (ideally) government backing to ensure they can enforce the requirements or at least some pretty major end customers who demand software vendors have the required insurance.
The final point is that the insurance company would need to proactively payout. By this I mean they need to pay bug bounties. After all, it’s like flood defences
Flood defences on average prevent £8 in future flood damages per £1 spent
Paying out for detailed vulnerability is cheaper then paying out damages, fines, repair costs (overtime, contractors, third parties) as well as loss of earnings and not forgetting rep.