Re: [SC-L] SearchSecurity: Cyber Security and the Law
Gary, Could you elaborate a bit more? Specifically, what kind of incentives you have in mind? How would they work? The debate about what to do to improve software security at a national or larger scale is mostly populated with abstractions and generic ideas but the enumeration and description of concrete, specific measures to deploy is notably scant. -ivan On 8/3/12 9:32 AM, Gary McGraw wrote: hi greg, Good question. I'm biased of course, but I think a BSIMM type measurement is the best way to approach this. (See http://bsimm.com.) However, regardless of measurement I strongly believe that incentives are way better than regulations and penalties. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
All, OWASP has a document which was targeted at the Brazilian government at first and then translates into English. It contains several proposals of government actions to improve the application security (and information security) landscape. The English version is available here: https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en The original version is here: https://www.owasp.org/index.php/OWASP_Brasil_Manifesto Hope this fits as concrete proposals. ;-) Regards, Lucas On Thu, Aug 9, 2012 at 10:45 AM, Iván Arce ivan.w.a...@gmail.com wrote: Gary, Could you elaborate a bit more? Specifically, what kind of incentives you have in mind? How would they work? The debate about what to do to improve software security at a national or larger scale is mostly populated with abstractions and generic ideas but the enumeration and description of concrete, specific measures to deploy is notably scant. -ivan On 8/3/12 9:32 AM, Gary McGraw wrote: hi greg, Good question. I'm biased of course, but I think a BSIMM type measurement is the best way to approach this. (See http://bsimm.com.) However, regardless of measurement I strongly believe that incentives are way better than regulations and penalties. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ -- Homo sapiens non urinat in ventum. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
hi greg, Good question. I'm biased of course, but I think a BSIMM type measurement is the best way to approach this. (See http://bsimm.com.) However, regardless of measurement I strongly believe that incentives are way better than regulations and penalties. Because the Senate bill was blocked yesterday by a Republican filibuster http://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill-blocked-b y-gop-filibuster.html we may have a chance to revisit some of these ideas next session! On the BSIMM front, we now have 51 firms measured and will be compiling BSIMM4 next week for release in the Fall. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 8/2/12 3:13 PM, Greg Beeley greg.bee...@lightsys.org wrote: How would we recognize good engineering? It seems to me like the very same problem faced by the idea of software liability law - that it is hard to define good engineering for software security - would be faced by an incentive program. If good engineering is fuzzy enough to give a big corporate legal dept the upper hand against an individual, wouldn't it be similarly fuzzy enough to counter the fairness of a tax incentive? Tax breaks are a big deal - I doubt the government is going to want to issue tax breaks to a company because the company claims they have achieved level X in a CMM -- think about the economic cost in demonstrating something like that to the point where it is fair and worth something. I also doubt that a metric based on vulnerability counts will work -- that will just encourage companies to hide vulnerabilities, fixing them silently and/or with great delay, instead of disclosing them. Not that I think that incentives inherently wouldn't work -- rather I'd be interested in seeing some discussion here on some of the above issues. One alternative that has worked well in many other areas of manufacturing -- encourage some kind of limited warranty, at least in certain industries. For consumer mobile devices, it might be something as simple as, if your device's security is ever compromised due to a flaw in the bundled device software, we'll repair it free of charge. The big challenges are 1) getting customers to care about their device's security, and 2) making a vendor's commitment to security recognizable by the customer. By no means ideal, but at least a talking point. - Greg Gary McGraw wrote, On 08/02/2012 08:40 AM: Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would like to see the government develop incentives for good engineering. gem On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage- bu g-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L)
[SC-L] SearchSecurity: Cyber Security and the Law
hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would like to see the government develop incentives for good engineering. gem On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bu g-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
How would we recognize good engineering? It seems to me like the very same problem faced by the idea of software liability law - that it is hard to define good engineering for software security - would be faced by an incentive program. If good engineering is fuzzy enough to give a big corporate legal dept the upper hand against an individual, wouldn't it be similarly fuzzy enough to counter the fairness of a tax incentive? Tax breaks are a big deal - I doubt the government is going to want to issue tax breaks to a company because the company claims they have achieved level X in a CMM -- think about the economic cost in demonstrating something like that to the point where it is fair and worth something. I also doubt that a metric based on vulnerability counts will work -- that will just encourage companies to hide vulnerabilities, fixing them silently and/or with great delay, instead of disclosing them. Not that I think that incentives inherently wouldn't work -- rather I'd be interested in seeing some discussion here on some of the above issues. One alternative that has worked well in many other areas of manufacturing -- encourage some kind of limited warranty, at least in certain industries. For consumer mobile devices, it might be something as simple as, if your device's security is ever compromised due to a flaw in the bundled device software, we'll repair it free of charge. The big challenges are 1) getting customers to care about their device's security, and 2) making a vendor's commitment to security recognizable by the customer. By no means ideal, but at least a talking point. - Greg Gary McGraw wrote, On 08/02/2012 08:40 AM: Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would like to see the government develop incentives for good engineering. gem On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bu g-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___