The Security Mentor

Companies ship insecure products and run insecure computers because they can. Until there's some kind of accountability this will never change. My favorite security author has written that software should be covered by product liability laws.

Yesterday I heard something encouraging at a security conference (believe me, that's rare. If you want to hear encouraging things then don't got to security conferences). Visa has started writing security requirements into its contracts with merchants. Merchants faced with losing the ability to take Visa payments suddenly become religious about security audits, it turns out.

A purchasing manager at the same conference described postponing a seven-figure order until the vendor could prove they met some security requirements. He got results.

People like Visa's executives and that purchasing manager are now putting money behind demands for better security practices. If you make a demand with money behind it in a market economy, you get results. You get those results faster than liability lawyers or government regulators can possibly move.

Now if only we had some way to measure security...