Software security seminar
Notes for soctech seminar planning, Winter 2005
Making secure software: technical and legal solutions (and policy and business if we want to go there).
- 1 Schedule details
- 1.1 Week 1: tech intro: thinking about computer security
- 1.2 Week 2: tech intro: software quality and security
- 1.3 Week 3: technical aspects of improving computer systems
- 1.4 Week 4: law boot camp: tort, contract & property
- 1.5 Week 5: a conceptual model: the law and economics view
- 1.6 Week 6: vendor liability for security defects
- 1.7 Week 7: certification processes: products, processes, people
- 1.8 Week 8: Security processes in the real world
- 1.9 Week 9: criminal law approaches?
- 1.10 Week 10: public policy approaches
- 1.11 Week xx: quality of information in the security market
- 2 Past courses to mine for useful content
- 3 Floating readings
- 4 Other notes
Week 1: tech intro: thinking about computer security
- Presenter: Keunwoo
- What is this course about, and why are we here?
- Basic security concepts (threat models, cost/safety tradeoffs)
- Fundamental computing technology topics: operating systems, programming systems.
- Pre-reading: none; Keunwoo will present slides.
- Post-reading: Lessig, Code and Other Laws of Cyberspace, ch. 7
Week 2: tech intro: software quality and security
- Presenter: Keunwoo
- Topics: what is software quality? how do people measure it? how does this apply to security?
- Suggestions for Keunwoo from Caroline for this tech intro
- Reading: (I am asking some software engineering people for a good overview of software quality.)
Week 3: technical aspects of improving computer systems
- Presenter: Keunwoo
- Topics: technologies that can improve computer systems: languages; analysis tools; testing; runtime systems/operating systems; ad hoc technical measures; software development methodologies; HCI issues
- Suggestions for Keunwoo from Caroline for this session
- Reading: Handouts prepared by Keunwoo; also, Schneier, Secrets and Lies ch. 8-10?
Week 4: law boot camp: tort, contract & property
- Presenter: Ben
- Topics: Basically, the first year of law school in 50 minutes...
- Sources of authority: common law, statutes, constitutions, regulations
- Torts: intentional torts, negligence, strict liability, products liability
- Contracts: legally enforceable promises, a mechanism for facilitating transactions in goods, services, legal rights, etc.
- Property: property rights, power to control things, intellectual property
- Readings: TBD
Week 5: a conceptual model: the law and economics view
- Presenter: Ben?
- Topics: economic analysis of law; property, contract and torts recast; the Coase theorem; ...
- Readings: (Possibly)
- Posner, Richard, selections from Economic Analysis of Law
- Calabresi & Melamid Property Rules, Liability Rules and Inalienability: One View of the Cathedral, 85 Harv. L. Rev. 1089 (1988).
- Coase, Ronald H. The Problem of Social Cost. J. Law & Econ. 3, p. 1 (1960). 
Week 6: vendor liability for security defects
- Presenter: Ben?, Prof. Winn? ??
- Topics: Legal background: currently it seems hard/impossible to hold a vendor liable for computer security defects in the software systems they create. Would the world be a better place if liability (in some form or another) could attach? We'll test the following hypothesis: Imposing liability on vendors will force vendors to bear the cost of software containing computer security defects, thereby providing incentives to improve software quality.
- Readings: (Possibly)
- Barnes, Douglas, "Deworming the Internet," 83 Texas Law Rev. 279 (2004)
- Dugan, Ben, "Vendor Liability for Computer Security Defects" (2003) 
- This might be a good place to look at the regulatory approaches we are seeing now: Gramm-Leach-Bliley, FDA Regs 21 CFR Part-11, Sarbanes-Oxley section 404, HIPAA, FDA requirements for medical device software validation .
See also General info on FDA regulation of medical devices for a summary of device classification and the FDA certification process.
Week 7: certification processes: products, processes, people
- Presenter: student, TBD
The focus of this session can be on this question: at what point will we know enough about how to produce good software to make certification of people, of products, of processes useful? Focus on one or more of these certifications, according to participant interest. Caroline's best equipped to shape a discusion on certification of products, which touches on certification of processes. Something to note: All of these certifications are simply attempts to quantify software quality, something that would be useful for assigning liability, for insurance, for inspiring consumers to demand good software.
On products--Key questions here: At what point are our tests for estimating how secure software is good enough for a lab to produce results consumers trust? (We want consumers to trust the ratings so they buy highly-rated software and thus inspire companies to put more effort into making highly rated software). to produce results that can be used by lawyers or insurers? Is it "good enough" for consumers, for lawyers, for insurers, to rate software on how it performs on static analysis testing? What happens if we get it wrong and software that the lab rated as "secure" gets hit by a devastating attack?
And even if we can't say that our certification schemes can tell us anything about the quality of software, is certification of people, processes or products worth doing for the simple benefit that it will require companies to focus more on security?
On licensing people--Here's a good treatment of it: McConnell, Steve. After the Gold Rush.
- Certification schemes
- Software Engineering Institute at CMU's multi-level rating system for software development organizations: There is some data to back up the supposition that software developed under processes rated better by the SEI is better than less-highly rated software, says Ed L.
- Common Criteria. Complex system, not widely respected, evaluates documentation about the process
- New effort at CMU=Cylab: focus on statis analysis tools
- For an overview of what's needed to create an independent lab, I'm adapting a paper from Ed L's class into a more casual-style briefing on this issue: I'll link to an in-progress for now: Criteria for a Lab to Certify Software
- Check out ISO 17799. If we can find a summary of this standard, it might be interesting to look at (or else pay the 179 Swiss Francs they're charging on the ISO web site...). Need to track down other software quality/reliability standards, if they exist. Note: A summary of the standard can be found on the ISO 17799 wiki site at: http://iso-17799.safemode.org
- Possible sources of further readings:
- Nancy Mead, Issues in Licensing and Certification of Software Engineers.
- U Texas Software Engineering Coordinating Committee
- a briefing on the considerations you need to create an underwriter
Week 8: Security processes in the real world
- Presenter: Ira
There is a long history of groping with issues of connecting computerized medical devices to the Internet (at least 20 years at UW Medical Center), with lots of finger pointing between customers and vendors as to who is responsible (if anyone). I will tell some stories that I hope will illuminate these issues, including a very recent successful negotiation with a vendor of radiation therapy planning computers and software. One of the links in the schedule summary page (reproduced here) points to an FDA document that just came out, reinforcing what we asked for and got from our vendor. I'll also give a brief summary of the role of the FDA in regulating medical software, unless that gets covered in one of the earlier sessions, which will leave more time for discussion.
Links: Recently released FDA document: [http://www.fda.gov/cdrh/comp/guidance/1553.html Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software] and also General info on FDA regulation of medical devices and article on the FDA's growing involvement in the OS patch process and another article two weeks later, and yet another.
Week 9: criminal law approaches?
- Presenter: student, TBD; also, possibly Floyd Short
Caroline: If we want a non-student presenter or someone who can advise us on readings, Floyd Short is an assistant US attorney who teaches the computer crime course at UW law school. Jane Winn recommeds him as a good speaker on this. A lot of discussions of criminal law approaches from lawyers that I've seen gloss over a key point--understandably, since lawyers aren't often technical folks--and that point is that the ability to persecute someone for a computer crime presupposes you can find that person and the tech isn't really there yet as I understand. We may want to have a technical talk/reading/person who can explain the technical limitations to our ability to find the bad guys: how good are we at packet tracing, how bad guys can cover their tracks...
- I've contacted some security-interested students in our dept. for sources/presenters. Keunwoo 12:54, 3 Dec 2004 (PST)
Week 10: public policy approaches
- Presenter: student, TBD
- Topic: does gov't have any role in directly intervening in computer security?
- funding basic research?
- subsidizing development or deployment of security products?
Caroline: One answer here is that security research is woefully underfunded as gov't officials think security is just about anti-virus and patching. This seems to be a point Eugene Spafford, of Purdue CS, is pretty interested in making so perhaps he can point us to readings or talks he's given on this. I'll ask him.
- Lazowska 590tu lecture from 12/02/04 (require people to watch online beforehand)
Week xx: quality of information in the security market
- Presenter: student, TBD
- Readings: John Michener, Steven Mohan, James Astrachan, David Hale. Snake-oil Security Claims: the Systematic Misrepresentation of Product Security in the E-commerce Arena 
Past courses to mine for useful content
- security reading group, Winter 2003
- 590NL networking seminar: trustworthy computing, Autumn 2004
- p590TU: IT & public policy), Autumn 2004
- 590SY systems seminar, usu. at least 1-2 papers per qtr on security topics; following quarters have more than usual:
- USACM public policy home page
These are readings that haven't been matched to a date yet.
- Ross Anderson papers:
- Why Information Security is Hard -- An Economic Perspective. .
- Ross Anderson, Security in Open versus Closed Systems: The Dance of Boltzmann, Coase and Moore. 
- Ross Anderson, Murphy's law, the fitness of evolving species, and the limits of software reliability. 
- Chapters from his book? --- Security Engineering: A Guide to Building Dependable Distributed Systems
- More papers from Anderson et al. at the U. of Cambridge research group's site
- Mark F. Grady, Francesco Parisi, The Law and Economics of Cybersecurity: An Introduction
- Aspray, Chasing Moore's Law, ch. 5
- Publications by Neal Kumar Katyal:
- Digital Architecture as Crime Control
- Architecture as Crime Control
- Criminal Law in Cyberspace (possibly for week on criminal law)
Resources to mine for other readings
- List of resources on economic approaches to security
- The people named in this flyer will probably have useful papers
- A couple of Amitai Aviram's publications look interesting
Technical discussion We'd want to start off with a briefing/discussion on the technical issues, led by a computer scientist volunteer or one of us. This means talking about the trouble computer scientists have a) writing secure software and b) determining whether a piece of software is secure. Questions to be discussed and explained would be:
- Why is writing secure software so hard? (software is complex, tiny vulnerabilities in seas of code millions of lines long)
- Computer scientists can't tell for sure whether their software is secure for anything more than the tiniest programs. So what CAN we do to evaluate how secure a piece of software is? What proxies for security do we measure (SE practices, performance on static analysis tests, security features in the spec)? This is necessary to cover, I'd think, for any discussion of legal liability--i.e., how do we assign blame for bad software--well, we can see if the vendor did everything he could to try to verify his software was secure.
Legal discussion Led by Ben/lawyer in the room:
- What is tort?
- Does it apply to software? Why not?
- What about in the future, as Ben said, as more devices go online?
Other tactics for improving software
- Policy solution: Should the gov't or other body license software engineers? Would that improve software quality?
- Market solution: Would creating an independent lab to evaluate software security help the consumer overcome the problem of "I want to buy secure software but I have no idea how to tell what software products are secure"? If ratings by a lab would get the consumer to buy the relatively more secure stuff, this would incentivize companies to provide it.
Readings and speakers (if we want them) TBD
- David Notkin might be convinced to explain problems with software security
- possible literature from the Cylab, CMU, law review articles (need to investigate)
- Schneier. Secrets and Lies, Digital Security in a Networked World
- chapter on security in Aspray, IT and Public Policy
- any notes/video from Ed L's IT/public policy class
How many days worth of class is this? One for technical, one for legal, one for discussion? Perhaps on the 3rd day we could assign people to think about how they would improve software security given what they learned about law and tech.