Software Vulnerabilities

The task we have set ourselves may seem impossible. We need to create a value optimal norm that reduces software vulnerabilities while also implementing a trade-off among competing goals that is at least as well justified as any alternative. But we do not yet agree on what trade-offs are best justified. So how can we create the needed norm? We show how in this chapter. The norm will be the best practices software norm: Buyers demand software developed following best practices. We’ll frequently omit the “buyers demand” part for brevity’s sake. This norm, like very many of the norms we consider in this book, will be a coordination norm that unifies buyers’ demand (as always, meaning demand in the sense of willingness and ability to pay). One immediate difficulty is that “[b]est practices has become an overused, underdeveloped catchphrase employed by industries and professions to signal an often unsubstantiated superiority in a given field.”¹ The first step then is to explain what we mean by best practices.