A Warning Label For Your Software
Thanks to initiatives aimed at consumer protection, we have warning labels on everything. From the Surgeon General’s warning on cigarettes and alcohol to the printed mandate not to let your child put a plastic bag on his head, we’re now more informed than ever when it comes to our own protection. But there’s one area where advocates feel we don’t have all the details: software security.
That’s why Peiter Zatko aka Mudge has developed software labeling intended to let consumers know about the vulnerability vs trustworthiness of the tech they use, ideally before they grant permissions or turn over their sensitive data. His system is less like a warning label and more like the nutritional guideline labels that appear on our packaged foods now, intent on letting consumers make a sound choice. Zatko, a former hacker himself, is no stranger to raising awareness of security flaws, and has been associated with other cybersecurity projects, even ones for the US Department of Defense.
A Reuter’s article on Zatko’s efforts highlighted some of his preliminary findings when it comes to software and tech security and the trust consumers can place in specific brands. For example, “on Apple’s Macintosh computers, Google’s Chrome web browser is significantly harder to attack than Apple’s Safari, which in turn is much more secure than Firefox. Many Microsoft products have scored quite well so far, but its Office suite for Mac did terribly.”
This type of information is critical for arming the public against the threat of a security breach. Why? Because lawsuits against software companies who sell a faulty product are actually harder to win than you might imagine, given that software is a licensed product and not a tangible product, in legal definitions. That’s why a lot of the support for this kind of project is coming from an unlikely industry: the insurance sector. They’re the ones hard hit when a security breach results in consumers’ information being stolen, and they have little financial recourse against the software company or the client who used the flawed software.