BKGKNMCS.RVW 20080207 "Geekonomics: The Real Cost of Insecure Software", David Rice, 2008, 0-321-47789-8, U$29.99/C$32.99 %A David Rice david@geekonomicsbook.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2008 %G 0-321-47789-8 978-0-321-47789-7 %I Addison-Wesley Publishing Co. %O U$29.99/C$32.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321477898/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321477898/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321477898/robsladesin03-20 %O Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation) %P 362 p. %T "Geekonomics: The Real Cost of Insecure Software" In the preface, the author states that the only pre-requisite for reading the book is a "hint of curiosity." This is because the work explores the issue of insecure and unreliable software from a sociological and economic perspective, rather than giving the topic a purely technical examination. Rice's book is readable, informative, and makes important points. I enjoyed it. Normally such an assessment comes at the end of the review, but I want to state this up front, because, in the remainder of the commentary contains a number of critical comments. For the most part, though, these apply to components that Rice has not included, and which would tend to support his contention, rather than detract from it. Chapter one repeats a lot of the material in the preface, sometimes in greater detail. Rice compares software with cement, in terms of the infrastructure of modern society, and also introduces the economic concepts of incentives and utility. The emphasis, in the analysis of software flaws, is on intrusions and networking, but the examples cited concentrate on concerns of reliability, rather than intrusions, somewhat weakening the overall argument. The lack of software standards, and the fact that unregulated markets militate against quality and safety, are addressed in chapter two. The text also specifically explores the problems involved in the ubiquitous practice of patching software faults. Rice's reasoning on the matters, while generally sound and extremely convincing, does have some odd quirks. For example, he repeats the widely held belief that building secure software in the first place must necessarily be more expensive, or companies would be doing it. (A relevant counter-example in the world of non-computer technology would be that of refrigerator doors. For years fridge door latches were a danger to children when old fridges were abandoned. Children playing around the fridges could enter them, and then become locked inside. It was only after appliance companies were forced to change the door locking mechanisms that they turned to magnetic closures--and found that not only were those mechanisms safer, but also cheaper and more energy efficient. Thus, companies may sometimes need to be forced into practices that may actually be to their advantage. Overall, consideration of such additional elements only serve to strengthen Rice's basic premise that insecure software is unnecessarily costly.) In chapter three, Rice notes the extremely low rate of prosecution for computer crimes, and moves from there to the statement that professional cybercrime is not just a criminal matter, but that the issue of software unreliability is of concern for national, and even international, economic security. He concentrates, again, on software vulnerabilities, failing to fully assess investigative weaknesses (and the economic pressures preventing law enforcement agencies from hiring and retaining trained forensic staff), the inherent risks of information warfare (to the attacker as well as the target), and the difficulty of establishing and validating trust relationships. He correctly identifies the problem with paying bounties for vulnerabilities (which many have forgotten). Noting the deleterious effect of allowing visible dilapidation to go unrepaired, he asserts that the invisible imperfections of software are even more important, but his argument appears incomplete. After reiterating the point that speed of innovation and time-to- market is important to software developers, chapter four appears to lose focus, finally seeming to make the point that we need some kind of licensing for software development. Chapter five's review of tort law tends to overshadow the more significant message that software developers enjoy an unparalleled immunity from lawsuits, and thus have no motivation to produce software of high quality. Various characteristics of open source software, and related development processes, are used to point out, in chapter six, differing economic forces both for and against software reliabity. Near the beginning of chapter seven Rice admits that he proposes no ultimate answers to the question of code quality. He does, however, list arguments that can be used to start further discussion on the possible approaches to revise the incentive environment in order to promote quality software. The list of potential approaches includes allowing the "free market" to deal with the problem (in other words, do nothing), promote litigation, license software engineers, create standards, or impose some form of vulnerability tax on developers. Towards the end of chapter seven, the author states that "[t]his book has argued, no matter how imperfectly, that incentives are key to changing the story of software." Despite my minor quibbles, Rice's case is solid, and his thesis is important. This work should be required reading for all involved in matters of technology policy, from managers and security professionals responsible for application development, to politicians. If this publication is successful enough, the publisher might have an incentive to ask the author to update his text for a second edition, at which time Rice might tighten up his arguments and include some of the missing bits. Then this book should be required reading for all developers and programming students. copyright Robert M. Slade, 2008 BKGKNMCS.RVW 20080207