When there isn't a commercial company behind an application or library, who is paying for:
- secure development
- secure coding standards,
- threat models,
- security reviews,
- dependency management,
- etc...
One of the interesting questions that arose when we talk about the need for open-source security coding technology, security coding centres, and everything we need to build secure code is: Who pays for it?
Unfortunately, in the past we tried to follow a purely commercial model, and I don't think that has been very successful. It means that while individual companies are doing a lot of good work, there isn't a lot of collaboration, and there isn't a lot of sharing of technology. This is something that needs to be done centrally, from organizations that care about the problem at the highest level.
But, how would we pay for all this? Well, the best way is for companies and governments to hire resources and allocate them to those projects. Alternatively they can contribute to independent organizations focused on secure software development and support. Such organizations can then hire very talented individuals, who will work on solutions in an open way, because their main agenda is security and quality.
The key idea here is the 'Collaborative Commons'.
The good news is that this is a proven idea, with many success stories across multiple industries and cultures. The book Zero Marginal Cost Society talks about this in detail and provides multiple financial models for how this should work.
Should governments be driving this initiative? Yes. Do governments have any clue how to drive this initiative? Most of them don't, so in the short term I think the solution is for companies to take the lead.
Companies need to solve the problem of paying for collaborative AppSec because within companies, AppSec is experiencing difficulties recruiting enough people, and scaling up. And as attackers become more and more efficient, the problem of who is actually going to implement and solve these issues becomes more important.
There are also enormous benefits for the local software industry (from talent retention, to providing higher valued services)
(from Software Quality book)
