The Future of AppSec Liability is Obvious

Photo by Bill Hornstein

When you’re inside of a mess it’s sometimes difficult to see it for what it is. And this is the case with software security today.

People seem quite confused about how the future is going to handle liability when there are breaches in software security, but it couldn’t be more obvious.

Security will become part of the product just as much as functionality. This will be so true that security won’t be discussed as an attribute separate from quality. If a website or shipped software application is insecure it will be no different than if it failed to deliver the features it promised.

If application X is to have 10 features, and two years later it turns out one of the primary features doesn’t work, it is as if the company only delivered on 9 of them. Similarly, if 10 features were promised and two years later the application gets hacked then it’s as if 9 or less features were delivered on.

It is, in other words, not a good product that is insecure. Why? Because such things are like dry water and clapping with one hand. They don’t exist because they violate the definition of the words used.

Good software is secure software. Those who predicted the liability would fall on the software makers in the future were correct. It cannot go any other way. How long it’ll take to get there is another matter, and there will be hybrids along the way, but the destination is inevitable.

Related posts:

1. The Future of Pentests, Bug Bounties, and Security Testing

2. Why Software Remains Insecure

3. When Companies Stop Caring About Data Loss, Risk Will Be Resilience-based and Focused on Business Disruption and Human Safety

4. It’s Time for Vendor Security 2.0