Software security seminar

From PublicWiki
Revision as of 22:54, 1 December 2004 by (talk) (Schedule details)

Jump to: navigation, search

Making secure software: technical and legal solutions (and policy and business if we want to go there).

Schedule details

week-by-week breakdown

Week 1: tech intro: thinking about security

  • Presenter: Keunwoo

Week 2: tech intro: software development and software reliability

  • Presenter: ?

Week 3: technical aspects of improving computer systems

  • Presenter: ?

Week 4: law intro: contracts & torts

  • Presenter: Ben

Week 5: law intro: economic legal philosophy

  • Presenter: Ben?

Week 6: vendor liability

  • Presenter: ?

Week 7: certification processes: products, processes, people

  • Presenter: ?

Week 8: market failures in economics of software, and legal approaches

  • Presenter: ?

Week 9: criminal law approaches?

  • Presenter: ?

Week 10: public policy approaches

  • Presenter: ?
  • Readings: Lazowska lecture, Aspray book?

Other notes

Technical discussion We'd want to start off with a briefing/discussion on the technical issues, led by a computer scientist volunteer or one of us. This means talking about the trouble computer scientists have a) writing secure software and b) determining whether a piece of software is secure. Questions to be discussed and explained would be:

  • Why is writing secure software so hard? (software is complex, tiny vulnerabilities in seas of code millions of lines long)
  • Computer scientists can't tell for sure whether their software is secure for anything more than the tiniest programs. So what CAN we do to evaluate how secure a piece of software is? What proxies for security do we measure (SE practices, performance on static analysis tests, security features in the spec)? This is necessary to cover, I'd think, for any discussion of legal liability--i.e., how do we assign blame for bad software--well, we can see if the vendor did everything he could to try to verify his software was secure.

Legal discussion Led by Ben/lawyer in the room:

  • What is tort?
  • Does it apply to software? Why not?
  • What about in the future, as Ben said, as more devices go online?

Other tactics for improving software

  • Policy solution: Should the gov't or other body license software engineers? Would that improve software quality?
  • Market solution: Would creating an independent lab to evaluate software security help the consumer overcome the problem of "I want to buy secure software but I have no idea how to tell what software products are secure"? If ratings by a lab would get the consumer to buy the relatively more secure stuff, this would incentivize companies to provide it.

Readings and speakers (if we want them) TBD

  • David Notkin might be convinced to explain problems with software security
  • possible literature from the Cylab, CMU, law review articles (need to investigate)
  • Schneier. Secrets and Lies, Digital Security in a Networked World
  • chapter on security in Aspray, IT and Public Policy
  • any notes/video from Ed L's IT/public policy class

How many days worth of class is this? One for technical, one for legal, one for discussion? Perhaps on the 3rd day we could assign people to think about how they would improve software security given what they learned about law and tech.