Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-09 Thread Iván Arce
Gary, Could you elaborate a bit more? Specifically, what kind of incentives you have in mind? How would they work? The debate about what to do to improve software security at a national or larger scale is mostly populated with abstractions and generic ideas but the enumeration and description of

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-09 Thread Lucas Ferreira
All, OWASP has a document which was targeted at the Brazilian government at first and then translates into English. It contains several proposals of government actions to improve the application security (and information security) landscape. The English version is available here:

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-08 Thread Gary McGraw
hi greg, Good question. I'm biased of course, but I think a BSIMM type measurement is the best way to approach this. (See http://bsimm.com.) However, regardless of measurement I strongly believe that incentives are way better than regulations and penalties. Because the Senate bill was blocked

[SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw
hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Jeffrey Walton
Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw
Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would like to see the government develop incentives for good engineering. gem On

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Greg Beeley
How would we recognize good engineering? It seems to me like the very same problem faced by the idea of software liability law - that it is hard to define good engineering for software security - would be faced by an incentive program. If good engineering is fuzzy enough to give a big corporate