LOLOL are you living in some alternate reality? You want my grandma to get a license so she can use a computer? Even on a more practical level, how you would possibly enforce this? Mandating companies use a certain percentage of other OSes? So you're going to make a small startup who had planned on using Linux/BSD go out and BUY X number of licenses for commercial OSes? And you want to FINE companies? Engineering software is not like engineering tires, it just isn't. You can't expect perfection. Even with manufacturing tires you can't expect perfection; there are always some defective items that slide off an assembly line. Except with software this number of items is much much larger than other industries. You can't just go and impose these sorts of rules on an industry so young and undeveloped.

"If you drive a car without changing the oil, eventually you'll destroy that car."

-Yea but that's YOUR CHOICE TO MAKE.

I get that you're trying to be creative/helpful here, and a few of your ideas make sense, but I don't think that's the way. Maybe instead of a "mandatory license," there should be optional classes taught by local (state) universities - so they'd be paid for by our tax dollars - that instructed naive/new users on proper computer usage. Instead of FORCING companies to diversify their OSes running, maybe there should be tax incentives for companies that do so. Instead of FINING companies - who would probably pass on part of that fine to some overworked code monkey - we should stress the importance of secure coding when programmers are getting their college educations. The programming courses at my college don't even TOUCH anything security related. 99% of the kids I know have "heard of" a buffer overflow, but have no idea what it really is or how it works, and that is PATHETIC. Furthermore, I do agree that software companies MUST BE MANDATED to give EVERY programmer an in depth course in secure coding for all languages they will be programming in. The fact that this already isn't happening is absolutely ridiculous. But as far as open source goes, well sometimes you get what you pay for. Maybe what that means is that companies who want to use open source software, and have doubts about its security should PAY vuln researchers to audit a piece of software for them. Ahem, ahem, cough, cough... Of course this is no guarantee that the product is secure, but there's a good chance it will make it a little more secure.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/394/33370#33370