Difference between revisions of "Software security seminar"

From PublicWiki
Jump to: navigation, search
(Week 7: certification processes: products, processes, people)
(Week 6: vendor liability for security defects)
Line 41: Line 41:
 
*Presenter: Ben?, Prof. Winn? ??
 
*Presenter: Ben?, Prof. Winn? ??
 
*Topics: Legal background:  currently it seems hard/impossible to hold a vendor liable for computer security defects in the software systems they create.  Would the world be a better place if liability (in some form or another) could attach?  We'll test the following hypothesis:  Imposing liability on vendors will force vendors to bear the cost of software containing computer security defects, thereby providing incentives to improve software quality.
 
*Topics: Legal background:  currently it seems hard/impossible to hold a vendor liable for computer security defects in the software systems they create.  Would the world be a better place if liability (in some form or another) could attach?  We'll test the following hypothesis:  Imposing liability on vendors will force vendors to bear the cost of software containing computer security defects, thereby providing incentives to improve software quality.
*Readings: Possibly http://www.cs.washington.edu/homes/dugan/vendor-liability.htm and/or TBD
+
*Readings: Possibly http://www.cs.washington.edu/homes/dugan/vendor-liability.htm and/or TBD.  This might be a good place to look at the baby-step regulatory approaches we are seeing now:  ie, Gramm-Leach-Bliley, HIPAA, and the FDA regs on software in medical devices...
  
 
===Week 7: certification processes: products, processes, people===
 
===Week 7: certification processes: products, processes, people===

Revision as of 19:09, 3 December 2004

Notes for soctech seminar planning, Winter 2005

Making secure software: technical and legal solutions (and policy and business if we want to go there).

Schedule details

week-by-week breakdown

Week 1: tech intro: thinking about computer security

  • Presenter: Keunwoo
  • Topics:
    • What is this course about, and why are we here?
    • Basic security concepts (threat models, cost/safety tradeoffs)
    • Fundamental computing technology topics: operating systems, programming systems.
  • Pre-reading: none; Keunwoo will present slides.
  • Post-reading: Lessig, Code and Other Laws of Cyberspace, ch. 7

Week 2: tech intro: software quality and security

  • Presenter: Keunwoo?
  • Topics: what is software quality? how do people measure it? how does this apply to security?
  • Reading: (I am asking some software engineering people for a good overview of software quality.)

Week 3: technical aspects of improving computer systems

  • Presenter: Keunwoo?
  • Topics: technologies that can improve computer systems: languages; analysis tools; testing; runtime systems/operating systems; ad hoc technical measures; software development methodologies; HCI issues
  • Reading: Handouts prepared by Keunwoo; also, Schneier, Secrets and Lies ch. 8-10?

Week 4: law boot camp: tort, contract & property

  • Presenter: Ben
  • Topics: Basically, the first year of law school in 50 minutes...
    • Sources of authority: common law, statutes, constitutions, regulations
    • Torts: intentional torts, negligence, strict liability, products liability
    • Contracts: legally enforceable promises, a mechanism for facilitating transactions in goods, services, legal rights, etc.
    • Property: property rights, power to control things, intellectual property
  • Readings: TBD

Week 5: a conceptual model: the law and economics view

  • Presenter: Ben?
  • Topics: economic analysis of law; property, contract and torts recast; the Coase theorem; ...
  • Readings: selections from Posner, Economic Analysis of Law and/or Calabresi & Melamid, "Property Rules, Liability Rules and Inalienability: One View of the Cathedral"

Week 6: vendor liability for security defects

  • Presenter: Ben?, Prof. Winn? ??
  • Topics: Legal background: currently it seems hard/impossible to hold a vendor liable for computer security defects in the software systems they create. Would the world be a better place if liability (in some form or another) could attach? We'll test the following hypothesis: Imposing liability on vendors will force vendors to bear the cost of software containing computer security defects, thereby providing incentives to improve software quality.
  • Readings: Possibly http://www.cs.washington.edu/homes/dugan/vendor-liability.htm and/or TBD. This might be a good place to look at the baby-step regulatory approaches we are seeing now: ie, Gramm-Leach-Bliley, HIPAA, and the FDA regs on software in medical devices...

Week 7: certification processes: products, processes, people

Week 8: criminal law approaches?

  • Presenter: ?

Caroline: If we want a non-student presenter or someone who can advise us on readings, Floyd Short is an assistant US attorney who teaches the computer crime course at UW law school. Jane Winn recommeds him as a good speaker on this. A lot of discussions of criminal law approaches from lawyers that I've seen gloss over a key point--understandably, since lawyers aren't often technical folks--and that point is that the ability to persecute someone for a computer crime presupposes you can find that person and the tech isn't really there yet as I understand. We may want to have a technical talk/reading/person who can explain the technical limitations to our ability to find the bad guys: how good are we at packet tracing, how bad guys can cover their tracks...

Week 9: public policy approaches

  • Presenter: ?
  • Topic: does gov't have any role in directly intervening in computer security?
    • funding basic research?
    • subsidizing development or deployment of security products?
    • etc.

Caroline: One answer here is that security research is woefully underfunded as gov't officials think security is just about anti-virus and patching. This seems to be a point Eugene Spafford, of Purdue CS, is pretty interested in making so perhaps he can point us to readings or talks he's given on this. I'll ask him.

  • Readings:
    • Lazowska 590tu lecture from 12/02/04 (require people to watch online beforehand)
    • other?

Week 10: quality of information in the security market

  • Presenter: ?
  • Readings: John Michener, Steven Mohan, James Astrachan, David Hale. Snake-oil Security Claims: the Systematic Misrepresentation of Product Security in the E-commerce Arena [1]

Past courses to mine for useful content

Floating readings

These are readings that haven't been matched to a date yet.

Resources to mine for other readings

Other notes

Technical discussion We'd want to start off with a briefing/discussion on the technical issues, led by a computer scientist volunteer or one of us. This means talking about the trouble computer scientists have a) writing secure software and b) determining whether a piece of software is secure. Questions to be discussed and explained would be:

  • Why is writing secure software so hard? (software is complex, tiny vulnerabilities in seas of code millions of lines long)
  • Computer scientists can't tell for sure whether their software is secure for anything more than the tiniest programs. So what CAN we do to evaluate how secure a piece of software is? What proxies for security do we measure (SE practices, performance on static analysis tests, security features in the spec)? This is necessary to cover, I'd think, for any discussion of legal liability--i.e., how do we assign blame for bad software--well, we can see if the vendor did everything he could to try to verify his software was secure.

Legal discussion Led by Ben/lawyer in the room:

  • What is tort?
  • Does it apply to software? Why not?
  • What about in the future, as Ben said, as more devices go online?

Other tactics for improving software

  • Policy solution: Should the gov't or other body license software engineers? Would that improve software quality?
  • Market solution: Would creating an independent lab to evaluate software security help the consumer overcome the problem of "I want to buy secure software but I have no idea how to tell what software products are secure"? If ratings by a lab would get the consumer to buy the relatively more secure stuff, this would incentivize companies to provide it.


Readings and speakers (if we want them) TBD

  • David Notkin might be convinced to explain problems with software security
  • possible literature from the Cylab, CMU, law review articles (need to investigate)
  • Schneier. Secrets and Lies, Digital Security in a Networked World
  • chapter on security in Aspray, IT and Public Policy
  • any notes/video from Ed L's IT/public policy class

How many days worth of class is this? One for technical, one for legal, one for discussion? Perhaps on the 3rd day we could assign people to think about how they would improve software security given what they learned about law and tech.