skip to main content
10.1145/2683467.2683478acmotherconferencesArticle/Chapter ViewAbstractPublication PagesnspwConference Proceedingsconference-collections
panel

Panel Summary: The Future of Software Regulation

Published: 15 September 2014 Publication History

Abstract

A panel at the New Security Paradigms Workshop (2014) discussed the topic of regulation and licensing of software developers and information security professionals. This included topics of the current state of certification, future possibilities, and challenges associated with new forms of regulation. This paper presents a brief background on the subject, three opinions presented by the panelists, and finally a summary of the discussion which occurred at the workshop, including input from both the panelists and the workshop attendees.

References

[1]
Abran, A., Bourque, P., Dupuis, R., and Moore, J. W. Guide to the software engineering body of knowledge-SWEBOK. IEEE Press, 2001.
[2]
Anderson, R., Böhme, R., Clayton, R., and Moore, T. Security economics and the internal market. Study commissioned by ENISA (2008).
[3]
August, T., and Tunca, T. I. Who should be responsible for software security? a comparative analysis of liability policies in network environments. Management Science 57, 5 (2011), 934--959.
[4]
Böhme, R., Rath, M., Schneider, R., and Telang, R. Economics of security: Facing the challenges. Study commissioned by ENISA (2011).
[5]
Böhme, R., and Schwartz, G. Modeling cyber-insurance: Towards a unifying framework. In WEIS (2010).
[6]
Bratus, S., Arce, I., Locasto, M. E., and Zanero, S. Why Offensive Security Needs Engineering Textbooks: Or, How to Avoid a Replay of 'Crypto Wars' in Security Research. ;login 39, 4 (August 2014).
[7]
BSIMM. Building security in maturity model. http://www.bsimm.com/facts/, Aug. 2014.
[8]
Calomiris, C. W., and Gorton, G. The origins of banking panics: models, facts, and bank regulation. In Financial markets and financial crises. University of Chicago Press, 1991, pp. 109--174.
[9]
Cerf, V. G. 'but officer, i was only programming at 100 lines per hour!'. Communications of the ACM 56, 7 (2013).
[10]
Clark, S., Frei, S., Blaze, M., and Smith, J. Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities. In Proc. of ACSAC 2010 (2010), ACM, pp. 251--260.
[11]
CMMI. Cmmi institute. http://whatis.cmmiinstitute.com/what-is-cmmi, Aug. 2014.
[12]
Consortium, I. S. S. C. Cissp - certified information systems security professional. https://www.isc2.org/cissp/default.aspx.
[13]
Council, P. S. S. Pci ssc data security standards overview. https://www.pcisecuritystandards.org/security_standards/, Aug. 2014.
[14]
Craver, S., Wu, M., Liu, B., Stubblefield, A., Swartzlander, B., Wallach, D. S., Dean, D., and Felten, E. W. Reading between the lines: Lessons from the sdmi challenge. In USENIX Security Symposium (2001).
[15]
Criteria, C. Common criteria for information technology security. https://www.commoncriteriaportal.org.
[16]
Denckla, D. A. Nonlawyers and the unauthorized practice of law: An overview of the legal and ethical paramaters. Fordham L. Rev. 67 (1998), 2581.
[17]
Doctorow, C. Why it is not possible to regulate robots. http://www.theguardian.com/technology/blog/2014/apr/02/why-it-is-not-possible-to-regulate-robots, April 2014.
[18]
Edwards, N., and Chen, L. An historical examination of open source releases and their vulnerabilities. In Proc. of CCS 2012 (2012), ACM, pp. 183--194.
[19]
Egelman, S., Herley, C., and van Oorschot, P. C. Markets for zero-day exploits: Ethics and implications. In Proc. NSPW 2013 (New York, NY, USA, 2013), NSPW '13, ACM, pp. 41--46.
[20]
Evans, P. Heartbleed bug: Rcmp asked revenue canada to delay news of sin thefts. http://www.cbc.ca/news/business/1.2609192, April 2014.
[21]
Geer, D. Cybersecurity as realpolitik. http://geer.tinho.net/geer.blackhat.6viii14.txt, Aug. 2014.
[22]
Hashimoto, E. Defending the right to self representation: an empirical look at the pro se felony defendant. North Carolina Law Review 85, 2 (2007), 423--487.
[23]
Kim, B. C., Chen, P.-Y., and Mukhopadhyay, T. The effect of liability and patch release on software security: The monopoly case. Production and Operations Management 20, 4 (2011), 603--617.
[24]
Laplante, P. A. Licensing professional software engineers: seize the opportunity. Communications of the ACM 57, 7 (2014), 38--40.
[25]
Ledin Jr, G. The growing harm of not teaching malware. Communications of the ACM 54, 2 (2011), 32--34.
[26]
Leveson, N. G. High-pressure steam engines and computer software. In Proc. of ICSE 1992 (1992), ACM, pp. 2--14.
[27]
Markoff, J. Taking the mystery out of web anonymity. The New York Times (July 2010).
[28]
Masnick, M. Former copyright boss: New technology should be presumed illegal until congress says otherwise. https://www.techdirt.com/blog/innovation/articles/20120927/00320920527/, September 2012.
[29]
McSherry, C. Sopa: Hollywood finally gets a chance to break the internet. https://www.eff.org/deeplinks/2011/10/sopa-hollywood-finally-gets-chance-break-internet, October 2011.
[30]
Meeds, L. Legislative history of osha, a. Gonz. L. Rev. 9 (1973), 327.
[31]
Meiksins, P. The "revolt of the engineers" reconsidered. Technology and Culture 29, 2 (1988), pp. 219--246.
[32]
Meneely, A., and Williams, L. Secure open source collaboration: an empirical study of linus' law. In Proc. of ACSAC 2009 (2009), ACM, pp. 453--462.
[33]
of America, U. S. Digital millenium copyright act. http://thomas.loc.gov/cgi-bin/toGPO/http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=105_cong_public_laws&docid=f:publ304.105.pdf, 1998.
[34]
of Energy, D. Cybersecurity capability maturity model (c2m2). http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1--1_cor.pdf.
[35]
of Examiners for Engineering, N. C., and Surveying. Continuing professional competency guidelines, Oct. 2010.
[36]
of Standards, N. I., and Technology. Systems security engineering capability maturity model (sse-cmm), Apr. 1999.
[37]
of Standards, N. I., and Technology. National vulnerability database. https://nvd.nist.gov/, Apr. 2014.
[38]
Omanovic, E. International agreement reached controlling export of mass and intrusive surveillance technology. https://www.privacyinternational.org/blog/international-agreement-reached-controlling-export-of-mass-and-intrusive-surveillance, Dec. 2013.
[39]
Orleans, L. U. N. Insurance requirements for contractors. http://finance.loyno.edu/risk/insurance-requirements-contractors, 2014.
[40]
OWASP, T. Top 10--2010--the ten most critical web application security risks. The Open Web Application Security Project (2010).
[41]
Pantesco, J. Ftc imposes record fine on choicepoint in data-loss case. http://jurist.law.pitt.edu/paperchase/2006/01/ftc-imposes-record-fine-on-choicepoint.php, Jan. 2006.
[42]
Proffesional, C. S. S. L. https://www.isc2.org/csslp/Default.aspx .
[43]
Project, O. W. A. S. Software assurance maturity model. https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model, Aug. 2014.
[44]
Qiu, L., Zhang, Y., Wang, F., Kyung, M., and Mahajan, H. R. Trusted computer system evaluation criteria. In National Computer Security Center (1985), Citeseer.
[45]
Ragan, S. Cybersecurity should be seen as an occupation, not a profession, report says. http://www.csoonline.com/article/2134002/security-awareness/cybersecurity-should-be-seen-as-an-occupation--not-a-profession--report-says.html, Sept. 2013.
[46]
Richards, E. P. Police power and the regulation of medical practice: A historical review and guide for medical licensing board regulation of physicians in erisa-qualified managed care organizations, the. Annals Health L. 8 (1999), 201.
[47]
Risen, T. Ftc investigates target data breach. http://www.usnews.com/news/articles/2014/03/26/ftc-investigates-target-data-breach, March 2014.
[48]
Rivner, U. Anatomy of an attack. http://blogs.rsa.com/anatomy-of-an-attack/, Apr. 2011.
[49]
Schneier, B. Liability and security. https://www.schneier.com/crypto-gram-0204.html#6, Apr. 2002.
[50]
Schneier, B. Brian snow sows cyber fears. https://www.schneier.com/blog/archives/2010/12/brian_snow_sows.html, Dec. 2010.
[51]
Solove, D. J., and Hartzog, W. The ftc and the new common law of privacy. Available at SSRN (2013).
[52]
Solove, D. J., and Hoofnagle, C. J. A model pregime of privacy protection (version 3.0). Available at SSRN (2013).
[53]
Sotirov, A. Analyzing the md5 collision in flame. Presentation at SummerCon, slides available at http://www. trailofbits. com/resources/flame-md5. pdf (2012).
[54]
Stanley, M. K. Aig: Cyber threats a top concern for industry execs. http://www.lifehealthpro.com/2013/02/07/aig-cyber-threats-a-top-concern-for-industry-execs, February 2013.
[55]
Stockton, P., and Golabek-Goldman, M. Curbing the Market for Cyber Weapons. Yale Law and Policy Review (December 2013).
[56]
Thibodeau, P. The firm behind healthcare.gov had topnotch credentials -- and it didn't help. ComputerWorld (Oct. 2013).
[57]
Thomas, L., and Finkle, J. Insurers struggle to get a grip on the burgeoning cyber risk market. Reuters (July 2014).
[58]
Unwin, L., and Wellington, J. Reconstructing the work-based route: lessons from the modern apprenticeship. The Vocational Aspect of Education 47, 4 (1995), 337--352.
[59]
Williams, J., and Wichers, D. Owasp top 10--2013 rcl-the ten most critical web application security risks. The open wep application security project (2013).
[60]
Wolff, J. The$10 million deductible. Slate (June 2014).
[61]
Zetter, K. The fight over cyber oversight. http://archive.wired.com/politics/security/news/2005/02/66632r, February 2005.

Cited By

View all
  • (2017)A Typology of Cybersecurity and Public–Private Partnerships in the Context of the European UnionSecurity Privatization10.1007/978-3-319-63010-6_10(219-247)Online publication date: 1-Oct-2017

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop
September 2014
148 pages
ISBN:9781450330626
DOI:10.1145/2683467
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

  • ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 September 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. credit score
  2. ethics
  3. licensing
  4. offensive security
  5. public policy
  6. regulation
  7. software development

Qualifiers

  • Panel

Conference

NSPW '14
Sponsor:
  • ACSA
NSPW '14: New Security Paradigms Workshop
September 15 - 18, 2014
British Columbia, Victoria, Canada

Acceptance Rates

NSPW '14 Paper Acceptance Rate 11 of 32 submissions, 34%;
Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2017)A Typology of Cybersecurity and Public–Private Partnerships in the Context of the European UnionSecurity Privatization10.1007/978-3-319-63010-6_10(219-247)Online publication date: 1-Oct-2017

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media