http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security
By Timothy B. Lee
Vox.com
April 12, 2014
What caused the Heartbleed Bug that endangered the privacy of millions of
web users this week? On one level, it looks like a simple case of human
error. A software developer from Germany contributed code to the popular
OpenSSL software that made a basic, but easy-to-overlook mistake. The
OpenSSL developer who approved the change didn't notice the issue either,
and (if the NSA is telling the truth) neither did anyone else for more
than 2 years.
It's hard to blame those guys. OpenSSL is an open source project. As the
Wall Street Journal describes it, the project is "managed by four core
European programmers, only one of whom counts it as his full-time job."
The OpenSSL Foundation had a budget of less than $1 million in 2013.
That's shocking. Software like OpenSSL increasingly serves as the
foundation of the American economy. Cleaning up the mess from the
Heartbleed bug will cost millions of dollars in the United States alone.
In a society that spends billions of dollars developing software, we
should be spending more trying to keep it secure. If we don't do something
about that, we're doomed to see problems like Heartbleed crop up over and
over again.
Why security flaws are different from other bugs
Computer security is a classic collective action problem. We all benefit
from efforts to improve software security, but most organizations don't
make it a priority. For most of us, it's economically rational to
free-ride on others' computer security efforts.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
