Talk:Cybersecurity

Improving software security: interdisciplinary analysis

Caroline Benner I have been looking but haven't found anything that analyzes the problems with and opportunities for creating more secure software by drawing on the perspectives of law, computer science/software engineering, business and perhaps other disciplines at the same time.

To apply Professor Maurer's suggested formula for papers for the course to this idea: you start with the non-trivial technical observation that is likely unknown to most non-technical people: here, that measuring security is, so far as I understand, a difficult problem for computer scientists so even deciding whether software is secure presents a host of challenges. From there you consider whether technical solutions to the problem exist, and then move into the policy solutions (or business, legal...)

There's a lot here--some early quick thoughts...

Business issues: consumers don't demand security over features, companies don't provide security then: how can this change? Marketing: Is it up to marketing departments to convince consumers they need security?

Technical issues: are there generalizable ways to measure security? Ones that could translate into a system that consumers can use to decide what software to buy (assuming they have choice)? Do better software engineering practices (code review, documentation) make software more secure? Do improvements in the tools and techniques software engineers use make software more secure? Can these questions be answered?

Legal issues: vendor liability. What are the costs and benefits of making software vendors liable for insecure software vs. the status quo? Are there other equally effective ways of making software more secure? Would imposing liability chill innovation?

Possible angles: open source vs proprietary--effects of imposing vendor liability on each community, technical analyses of which process produces more secure code...