So you propose no idea of "minimal set". If a liability is proposed, it has to be reasonably binary state: compliant/non-compliant.

Just like every time, there is no concrete proposal what constitute "minimal set". That's like "make education better", with no concrete plan. We can agree on goal, but on on the method.

There are several ways we could write a list of best practices. But the simplest would be to simply attach a financial cost to leaking any personal data to the open internet. This is essentially how every other industry already works: If my building falls down, the company which made it is financially liable. If I get sick from food poisoning, I can sue the companies responsible for giving me that food. And so on.

We could also write a list of "best practices" - like they do in the construction and aviation industries. Things like:

- Never store personal data on insecure devices (eg developer laptops which have FDE disabled or weak passwords)

- Install (or at least evaluate) all security updates from your OS vendor and software dependencies

- Salt all passwords in the database

And so on. If you locked some competent security engineers in a room for a few days, it would be pretty easy to come up with a reasonable list of practices. There would have to be some judgement in how they're applied, just like in the construction industry. But if companies are held liable if customer data was leaked as a result of best practices not being followed, well, I imagine the situation would improve quite quickly.

Its boring work. Compliance is always boring. But it might be better than the current situation, and our endless list of data breaches.

Software is in a very unique position. It can be attacked all the time with completely impunity.

Buildings are completely vulnerable even to simple hammer breaking windows, locks have been basically broken for decades

Food processor is easily vulnerable to poisoned potato.

Only the software has to take all attacks humans can come up with and withstand it.

What other industry has to deal with that? Maybe military, army camp in middle of enemy territory?

We have improved massively and will and should continue to do, but it's very different from other industries.

That's the core reason for breaches.

Some security checklist will help to filter most egregious idiots (especially upgrades from vulnerable versions).

If a system is attacked or fails in novel way, and the system design was done in accordance with best-practices, the follow-up investigation will note this, the system implementers will in all likelihood not face any repercussions (because they weren't negligent) and the standards will be updated to account for the new vulnerability. Just like other engineering disciplines.

Yes, things are constantly evolving in computer engineering, but how many of the failures that make the news are caused by novel new attack vectors, versus not following best-practices?

We don't live in a hard, binary world of extremes. Yes -- buildings and locks are, for the most part, easily compromised. But...

If I make a window of bulletproof glass, it's a lot harder to compromise.

If I surround my building with a wall topped by razor wire, it's a lot harder to compromise. (Unless, of course, I'm making an action film.)

Depending on what or who I'm protecting, I might find these solutions very valuable. Similarly in software, depending on what or who I am protecting, I might be very interested in various security measures.

So far, we've managed to escape an incident where bad actors have compromised systems in a way that's led to severe loss or harm. People are terrible at evaluating risk, so people tend to assume the status quo is okay. It's not, and it's only a matter of time before a bad actor does some real damage. Think 9/11 style, something that causes an immediate reaction and shocks the population. Then, suddenly, our politicians will be all in favor of requiring software developers to be licensed; liability for companies that allow damages; etc.

> If I get sick from food poisoning, I can sue the companies responsible for giving me that food.

Except that is not how food safety is achieved. There are strict rules about how food must be stored, prepared. How the facilities must be cleaned and how the personal must be trained. If these are not met inspectors can and will shut a commercial operation down even if nobody got sick.

And if they follow all best practices they have a good chance of arguing they were not at fault with your illness (besides the point it makes it much less likely to happen in the first place.)

> Except that is not how food safety is achieved.

Food safety is achieved via a combination of strict rules (equivalent of best practices) and liability in case of harm. There's been plenty of quite famous court cases over the years stemming from bad food being sold leading to people getting sick and dying.

> But if companies are held liable if customer data was leaked as a result of best practices not being followed, well, I imagine the situation would improve quite quickly.

One might argue that GDPR does exactly this, it holds companies financially liable for data leaks. Would you say it has improved the situation?

Well, I interpreted your question 'How do you define "minimum safety, correctness and quality standard"?' as to be about the process, not about the outcome.

I actually have not invested much thought into what the outcome should/would be as I think it's unlikely to happen anyway. So why invest time? But maybe ask the author of the original comment?