Is Software Security a Waste of Money?
I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn’t important. He said:
For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove to be valuable and provide a measurable return on investment, but that’s probably not the case for smaller enterprises, said John Viega, executive vice president of products, strategy and services at SilverSky and an authority on software security. Viega, who formerly worked on product security at McAfee and as a consultant at Cigital, said that when he was at McAfee he could not find a return on investment for software security.
I agree with that. For small companies, it’s not worth worrying much about software security. But for large software companies, it’s vital.
Brian • March 11, 2013 6:42 AM
The sad thing is that he’s probably right. For your average small to medium size company, there is no reason at all to worry about how secure your software is. Hardly anyone chooses products based on software security. And as long as companies don’t end up in court for security issues (the way car manufacturers would, for example), there’s no indirect economic incentive either.
But how long is that necessarily going to be true? Software is become a larger and larger part of our lives, and some of the large companies are (finally) taking security seriously. How soon before competing with the big players in a market is going to require the small startup to prove they take security seriously? Maybe never…but maybe not.