Gary,
Could you elaborate a bit more? Specifically, what kind of incentives
you have in mind? How would they work?
The debate about what to do to improve software security at a national
or larger scale is mostly populated with abstractions and generic ideas
but the enumeration and description of
All,
OWASP has a document which was targeted at the Brazilian government at
first and then translates into English. It contains several proposals
of government actions to improve the application security (and
information security) landscape.
The English version is available here:
hi greg,
Good question. I'm biased of course, but I think a BSIMM type measurement
is the best way to approach this. (See http://bsimm.com.) However,
regardless of measurement I strongly believe that incentives are way
better than regulations and penalties.
Because the Senate bill was blocked
hi sc-l,
This month's [in]security article takes on Cyber Law as its topic. The US
Congress has been debating a cyber security bill this session and is close to
passing something. Sadly, the Cybersecurity and Internet Freedom Act currently
being considered in the Senate (as an answer to the
Hi Dr. McGraw,
Cyber Intelligence Sharing and Protection Act (CISPA) passed by
there House in April) has very little to say about building security in.
I'm convinced (in the US) that users/consumers need a comprehensive
set of software liability laws. Consider the number of mobile devices
that
Hi Jeff,
I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR
lawyer faced down by Microsoft's army of lawyers. You lose.
Software liability is not the way to go in my opinion. Instead, I would
like to see the government develop incentives for good engineering.
gem
On
How would we recognize good engineering?
It seems to me like the very same problem faced by the idea of software
liability law - that it is hard to define good engineering for software
security - would be faced by an incentive program. If good
engineering is fuzzy enough to give a big corporate