Poorly written, insecure software is no longer a technology issue; it is a public policy issue. Software vulnerabilities leave consumers, businesses, national infrastructures, government and the military susceptible to cyber attacks.
The market does not provide significant or compelling incentives for developing secure software, thus current cyber security spending largely deals with the effects of insecure software. In essence, software manufacturers practice unrestrained vulnerability dumping onto downstream market participants. In the absence of policy discouraging this behavior, cyber defenders are too busy mopping the floor to turn off the faucet. This must change.