Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Geekonomics: The Real Cost of Insecure Software", David Rice

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKGKNMCS.RVW 20080207 Geekonomics: The Real Cost of Insecure Software , David Rice, 2008, 0-321-47789-8, U$29.99/C$32.99 %A David Rice
    Message 1 of 1 , May 5, 2008
    • 0 Attachment
      BKGKNMCS.RVW 20080207

      "Geekonomics: The Real Cost of Insecure Software", David Rice, 2008,
      0-321-47789-8, U$29.99/C$32.99
      %A David Rice david@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2008
      %G 0-321-47789-8 978-0-321-47789-7
      %I Addison-Wesley Publishing Co.
      %O U$29.99/C$32.99 416-447-5101 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321477898/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321477898/robsladesin03-20
      %O Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
      %P 362 p.
      %T "Geekonomics: The Real Cost of Insecure Software"

      In the preface, the author states that the only pre-requisite for
      reading the book is a "hint of curiosity." This is because the work
      explores the issue of insecure and unreliable software from a
      sociological and economic perspective, rather than giving the topic a
      purely technical examination.

      Rice's book is readable, informative, and makes important points. I
      enjoyed it. Normally such an assessment comes at the end of the
      review, but I want to state this up front, because, in the remainder
      of the commentary contains a number of critical comments. For the
      most part, though, these apply to components that Rice has not
      included, and which would tend to support his contention, rather than
      detract from it.

      Chapter one repeats a lot of the material in the preface, sometimes in
      greater detail. Rice compares software with cement, in terms of the
      infrastructure of modern society, and also introduces the economic
      concepts of incentives and utility. The emphasis, in the analysis of
      software flaws, is on intrusions and networking, but the examples
      cited concentrate on concerns of reliability, rather than intrusions,
      somewhat weakening the overall argument. The lack of software
      standards, and the fact that unregulated markets militate against
      quality and safety, are addressed in chapter two. The text also
      specifically explores the problems involved in the ubiquitous practice
      of patching software faults. Rice's reasoning on the matters, while
      generally sound and extremely convincing, does have some odd quirks.
      For example, he repeats the widely held belief that building secure
      software in the first place must necessarily be more expensive, or
      companies would be doing it. (A relevant counter-example in the world
      of non-computer technology would be that of refrigerator doors. For
      years fridge door latches were a danger to children when old fridges
      were abandoned. Children playing around the fridges could enter them,
      and then become locked inside. It was only after appliance companies
      were forced to change the door locking mechanisms that they turned to
      magnetic closures--and found that not only were those mechanisms
      safer, but also cheaper and more energy efficient. Thus, companies
      may sometimes need to be forced into practices that may actually be to
      their advantage. Overall, consideration of such additional elements
      only serve to strengthen Rice's basic premise that insecure software
      is unnecessarily costly.)

      In chapter three, Rice notes the extremely low rate of prosecution for
      computer crimes, and moves from there to the statement that
      professional cybercrime is not just a criminal matter, but that the
      issue of software unreliability is of concern for national, and even
      international, economic security. He concentrates, again, on software
      vulnerabilities, failing to fully assess investigative weaknesses (and
      the economic pressures preventing law enforcement agencies from hiring
      and retaining trained forensic staff), the inherent risks of
      information warfare (to the attacker as well as the target), and the
      difficulty of establishing and validating trust relationships. He
      correctly identifies the problem with paying bounties for
      vulnerabilities (which many have forgotten). Noting the deleterious
      effect of allowing visible dilapidation to go unrepaired, he asserts
      that the invisible imperfections of software are even more important,
      but his argument appears incomplete.

      After reiterating the point that speed of innovation and time-to-
      market is important to software developers, chapter four appears to
      lose focus, finally seeming to make the point that we need some kind
      of licensing for software development. Chapter five's review of tort
      law tends to overshadow the more significant message that software
      developers enjoy an unparalleled immunity from lawsuits, and thus have
      no motivation to produce software of high quality. Various
      characteristics of open source software, and related development
      processes, are used to point out, in chapter six, differing economic
      forces both for and against software reliabity.

      Near the beginning of chapter seven Rice admits that he proposes no
      ultimate answers to the question of code quality. He does, however,
      list arguments that can be used to start further discussion on the
      possible approaches to revise the incentive environment in order to
      promote quality software. The list of potential approaches includes
      allowing the "free market" to deal with the problem (in other words,
      do nothing), promote litigation, license software engineers, create
      standards, or impose some form of vulnerability tax on developers.

      Towards the end of chapter seven, the author states that "[t]his book
      has argued, no matter how imperfectly, that incentives are key to
      changing the story of software." Despite my minor quibbles, Rice's
      case is solid, and his thesis is important. This work should be
      required reading for all involved in matters of technology policy,
      from managers and security professionals responsible for application
      development, to politicians. If this publication is successful
      enough, the publisher might have an incentive to ask the author to
      update his text for a second edition, at which time Rice might tighten
      up his arguments and include some of the missing bits. Then this book
      should be required reading for all developers and programming

      copyright Robert M. Slade, 2008 BKGKNMCS.RVW 20080207

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      In terms of paradigms, shift happens.
    Your message has been successfully submitted and would be delivered to recipients shortly.