Rule #1: The consumer is king
We've gone through this many times in different permutations. The FDA was created to try to drive out the snake oil salesmen. The professional boards (mostly medicine & law) exist to try to keep the worst practitioners from causing the death of their clients. But in the end, the consumer remains king. We had a perfectly good consumer cell phone with a much better security model than Apple, let alone Android. Remind me, how is RIM's retail branch doing these days?
Okay, so consumers don't really understand the dangers of bad security. Even if they did, security is a distributed threat--99.9999% secure means 100% insecure. To argue that consumers are willingly going to bear the costs of security is to argue that Communism works. (Hint to the Millennials: even the Pilgrims could not pull it off.)
How about we start at the other end of the problem: what exactly is meant by "this server is secure"? istoomuch.jpg How about, "this code is secure". Care to back up that claim? May I see your MA in mathematics? Because proving that a piece of code actually does what you want it to do, and nothing else, is at least equal to a thesis. (And, yes, I do have one of those.) That's assuming that the compiler has also been proven. And whatever was used to create the compiler. And the OS. For both. And the cpu. For all. Moreover, your CPU must not only do what the architecture says, but must be side-channel free. That means (and I have the background to say this) either taking a 10x hit to speed, securing not just your code, but all code running on the server--including cross-domain interactions between applications (think: SQL injection), or getting completely new cache architecture.
Okay, so somehow we have a magically secure programming environment. Luckycharms.img And, you want some new code. You going to hunt down a mathematician to write it? Oh, but maybe we can use the model that engineers use. The mathematicians doesn't have to write the code himself--he can check the work and certify it. No. grumpycat.img Code is not a piece of metal that can be machined into tolerance. It does not have microfractures that only spread at a given rate. There is no procedure to guarantee changes are correct. kurtgodel.img When we are talking about demonstrating security, we are talking about creating valid proofs, and while two might be three times as fast, that's two fully trained mathematicians, not a mathematician and someone else.
But security really is that important. Why don't we pass some laws & regulations? yeahsure.jpg Just how long will a politician stay elected if he passes a bill that outlaws 99.99999% of existing code?
We are losing the war. We do need to fight it. But we must focus our efforts where it can be productive. We need public awareness of the pervasiveness of the security threat. Maybe we can get Bill Gates to fund a publicity campaign. I do believe that liability legislation has its place, but the only way that is going to survive is if it is extremely incremental. That is, too little to be effective until some sort of phase change happens. Something in the same spirit as the GDPR, but significantly more limited in relative scope.
Yeah, I really try not to think too hard about this. Kinda like the Cold War.