Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SearchSecurity: Cyber Security and the Law

From: Gary McGraw <gem () cigital com>
Date: Fri, 3 Aug 2012 08:32:58 -0400
hi greg,

Good question.  I'm biased of course, but I think a BSIMM type measurement
is the best way to approach this.  (See http://bsimm.com.)  However,
regardless of measurement I strongly believe that incentives are way
better than regulations and penalties.

Because the Senate bill was blocked yesterday by a Republican filibuster
<http://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill-blocked-b
y-gop-filibuster.html> we may have a chance to revisit some of these ideas
next session!

On the BSIMM front, we now have 51 firms measured and will be compiling
BSIMM4 next week for release in the Fall.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

On 8/2/12 3:13 PM, "Greg Beeley" <Greg.Beeley () lightsys org> wrote:


How would we recognize good engineering?

It seems to me like the very same problem faced by the idea of software
liability law - that it is hard to define good engineering for software
security - would be faced by an incentive program.  If "good
engineering" is fuzzy enough to give a big corporate legal dept the
upper hand against an individual, wouldn't it be similarly fuzzy enough
to counter the fairness of a tax incentive?

Tax breaks are a big deal - I doubt the government is going to want to
issue tax breaks to a company because the company claims they have
achieved level X in a CMM -- think about the economic cost in
demonstrating something like that to the point where it is fair and
worth something.  I also doubt that a metric based on vulnerability
counts will work -- that will just encourage companies to hide
vulnerabilities, fixing them silently and/or with great delay, instead
of disclosing them.

Not that I think that incentives inherently wouldn't work -- rather I'd
be interested in seeing some discussion here on some of the above issues.

One alternative that has worked well in many other areas of
manufacturing -- encourage some kind of limited warranty, at least in
certain industries.  For consumer mobile devices, it might be something
as simple as, "if your device's security is ever compromised due to a
flaw in the bundled device software, we'll repair it free of charge".
The big challenges are 1) getting customers to care about their device's
security, and 2) making a vendor's commitment to security recognizable
by the customer.  By no means ideal, but at least a talking point.

- Greg

Gary McGraw wrote, On 08/02/2012 08:40 AM:

Hi Jeff,

I'm afraid I disagree.  The hyperbolic way to state this is, imagine
YOUR
lawyer faced down by Microsoft's army of lawyers. You lose.

Software liability is not the way to go in my opinion.  Instead, I would
like to see the government develop incentives for good engineering.

gem

On 8/2/12 10:26 AM, "Jeffrey Walton" <noloader () gmail com> wrote:


Hi Dr. McGraw,


Cyber Intelligence Sharing and Protection Act (CISPA) passed by
there House in April) has very little to say about building security
in.

I'm convinced (in the US) that users/consumers need a comprehensive
set of software liability laws. Consider the number of mobile devices
that are vulnerable because OEMs stopped providing (or never provided)
patches for vulnerabilities. The equation [risk analysis] needs to be
unbalanced just a bit to get manufacturers to act (do nothing is cost
effective at the moment).

Jeff

On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw <gem () cigital com> wrote:

hi sc-l,

This month's [in]security article takes on Cyber Law as its topic.
The
US Congress has been debating a cyber security bill this session and
is
close to passing something.  Sadly, the Cybersecurity and Internet
Freedom Act currently being considered in the Senate (as an answer to
the problematic  Cyber Intelligence Sharing and Protection Act (CISPA)
passed by there House in April) has very little to say about building
security in.

Though cyber law has always lagged technical reality by several years,
ignoring the notion of building security in is a fundamental flaw.



http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-
bu
g-fixes-reward-secure-systems

Please read this month's article and pass it on far and wide.  Send a
copy to your representatives in all branches of government.  It is
high
time for the government to tune in to cyber security properly.




_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________



_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: