SESSION ID:
Software Liability?: The Worst Possible Idea
(Except For All Others)
ASEC-F01
Jake Kouns
Chief Information Sec...
#RSAC
Worst quality image (except all others)
2
#RSAC
Agenda
 Why Liability? Why now?
 Product Liability 101
 Product Liability Implementation
 Why NOT to have Produc...
#RSAC
Triggers…
4
#RSAC
#RSAC
! $4f3 @ * $p33d
6
#RSAC
Our Bodies
7
#RSAC
8
#RSAC
In our homes
#RSAC
#RSAC
#RSAC
Our Infrastructure
12
Product Liability
#RSAC
Defined
 Wikipedia definition:
 Product liability is the area of law in which
manufacturers, distributors, supplie...
#RSAC
Manufacturing Defects
#RSAC
Design Defects
#RSAC
Failure To Warn
#RSAC
Failure To Warn
#RSAC
Failure To Warn
#RSAC
Failure To Warn
#RSAC
Breach of Warranty
#RSAC
Consumer Protection
Product Liability
Implementation
#RSAC
Who knows the name of this car?
#RSAC
Ford Pinto
#RSAC
Ford Pinto (1971 – 1980)
 Allegations that the Pinto's structural design allowed its fuel tank filler
neck to break...
#RSAC
Intended Value and Impact
 Companies put a larger emphasis on prevention of issues
 Companies put a larger emphasi...
#RSAC
Any issues with hot coffee?
#RSAC
Very well known case!
#RSAC
Liebeck v. McDonald’s Restaurants (1994)
 Known as the McDonald's coffee case and the hot coffee lawsuit
 A New Me...
#RSAC
When Product Liability Goes Wrong?
 McDonald’s hot coffee is thought to be when legal system goes wrong!
 Most act...
#RSAC
Does this provide value to end consumers / users of the product?
McDonald’s Coffee
#RSAC
Restaurant Health Codes
33
#RSAC
Deceptive Products
34
#RSAC
Product Recalls
 Consumer Products
 appliances, clothing, electronic / electrical. furniture, household, children'...
#RSAC
Software Product Recalls?
When the product is marketed to be secure and it
isn’t how do software vendors handle it?
...
Product Liability for
Software Vendors
#RSAC
Software Liability
 Software Liability: Our Saving Grace or Kiss of Death?
 Debated by Marcus Ranum and Bruce Schn...
#RSAC
Software Liability: Worst Idea
 Josh: Insert the mind map
#RSAC
Reason #1 - The Worst Possible Idea
 Stifle Innovation
 New features and ideas would be slow to market due to fina...
#RSAC
Reason #2 - The Worst Possible Idea
 Barriers to Entry?
 Could Hurt Small Businesses and Startups
 Large enterpri...
#RSAC
Reason #3 - The Worst Possible Idea
 Economic Impacts
 What does this mean to the economy? Potential for massive a...
#RSAC
Reason #4 - The Worst Possible Idea
 Vendor Impact
 Companies unable to handle the cost
 Raise prices
 But this ...
#RSAC
Restaurant Health Codes
44
#RSAC
Counters to: The Worst Possible Idea
Food Safety Cars
1) Stifle Innovation Chef’s can’t innovate? Safety Differentia...
What’s Working To
Influence Better
Security Practices?
#RSAC
What Are We Doing To Improve Security?
 PCI/DSS*
 SOX*
 Market Forces*
 Companies only pick secure software (if ...
#RSAC
Software Vulnerabilities Over time
2013: 10,280
2012: 9,909
2011: 7,751
2010: 9,054
2009: 8,092
2008: 9,696
2007: 9,...
#RSAC
Data Breaches Over Time
Source: Risk Based Security - https://cyberriskanalytics.com
#RSAC
Why Aren’t We Improving?
 Complexity
 Costs
 No real impact to end consumer?
 No real property or injury type is...
Some Economics
51
#RSAC
On Free Market Forces…
#RSAC
Information Asymmetry and Signaling
Seller Knows
Buyer Knows
#RSAC
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
...
#RSAC
0
10
20
30
40
50
60
70
80
90
100
Defensibility Index
Goal
Security++
Security
Base
Passing the Buck (and Cost)
#RSAC
0
10
20
30
40
50
60
70
80
90
100
Defensibility Index
Goal
Security++
Security
Base
Passing the Buck (and Cost)
#RSAC
0
10
20
30
40
50
60
70
80
90
100
Defensibility Index
Goal
Security++
Security
Base
Passing the Buck (and Cost)
#RSAC
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
...
#RSAC
True Costs & Least Cost Avoiders: Downstream
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech...
#RSAC
The Fallacy of Broken Windows
60
#RSAC
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
...
Where Do We Go
From Here?
#RSAC
The World Is Changing
#RSAC
Reliance On Poor Software
Poor software with security issues in
the new Internet of Things world can
now lead to:
• ...
#RSAC
Product Liability Is Already Here
 Its not the software that hurts the people, it’s a component of a larger
finishe...
#RSAC
Product Liability Is Already Here
 The important portion of the MacPherson opinion:
 “If the nature of a thing is ...
#RSAC
Software Part Of The Final Product
#RSAC
Financial Liability For Data Breach Already Exists
#RSAC
Financial Liability For Data Breach Already Exists
“Enhanced security
and manageability
via comprehensive
and flexib...
#RSAC
Expansion Of Liability Is Likely Coming
 Liability already exists due to a data breach
 Currently on the company t...
#RSAC
Not from Whole Cloth
 UL for electronics
 NTSB & ASRS for aviation
 NHSTB? or NHTSA? for vehicles
 FDA & DHS ICS...
#RSAC
Taking Care: Incentives Incentivize (Perversely)
 Let’s NOT recreate PCI DSS
 Outcomes over Inputs (Control Object...
#RSAC
Yes… HDMoore’s Law (Bellis & Roytman [&Geer])
73
“Punchline: Using CVSS to steer remediation is
nuts, ineffective, d...
#RSAC
How Could Software Liability Work?
 Not be prescriptive on what needs to be done / security implement
 Allow for t...
#RSAC
The EULA Elephant in the Room…
 EULAs may be the primary
obstacle
 These 1 sided contracts cannot be
overlooked
 ...
#RSAC
Things you can do
 Investigate/Join “The Cavalry” @iamthecavalry
 Public Safety & Human Life
 Watch
 Hot Coffee
...
Discussion!
SESSION ID:
Software Liability?: The Worst Possible Idea
(Except for all Others)
ASEC-F01
Jake Kouns
Chief Information Sec...
Upcoming SlideShare
Loading in …5
×

Software Liability?: The Worst Possible Idea (Except for all Others)

1,014 views

Published on

While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,014
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • IMG SRC:http://oxford.tab.co.uk/2013/05/08/henrys-view-anti-misogyny-movement-not-helping-itself/?comment_sort=recent
  • FTC
  • IMG SRC: http://circa71.files.wordpress.com/2010/08/cuy-river-fire1.jpgIn 1969, the Cuyahoga River in Ohio caught on fire and stayed on fire….….it took this to finally get serious discussion about pollution.We believe a similar trigger will likely be required to cause SW Liability and/or significant criminalization of research changes.
  • Photo taken by Speaker – Joshua Corman
  • http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/WATCH THE VIDEOhttp://www.scmagazine.com/researchers-shed-light-on-car-hacking/article/320604/
  • SOURCE: http://www.startribune.com/business/225601262.html
  • Comic relief to Kevin’s conversation with Josh RE: BlueTooth on Insulin pumps.“Everything’s better with bacon? Everything’s better with BlueTooth” – Kevin FuIMG SRC:http://beekn.net/2013/12/bluetooth-le-arduino-wifi-android/
  • SOURCE: http://www.cnn.com/2013/09/27/us/miss-teen-usa-sextortion/
  • SOURCE:http://www.networkworld.com/community/blog/firesheep-moment-scada-hacking-critical-infrastructure-systems-now-easy-pushing-button
  • http://en.wikipedia.org/wiki/Product_liabilityIssues or claims most commonly associated with product liability are:LiabilityBreach of warrantyNegligenceConsumer protectionStrict liability
  • Manufacturing: explore “Poor quality materials” [sic open source code with known CVE over X at the time(window) of release]Manufacturing: explore “shoddy workmanship” as things like: No published SDLC, No 3rd party Scan, Violating OWASP Top10, ____, ____Manufacturing defects are those that occur in the manufacturing process and usually involve poor-quality materials or shoddy workmanship.
  • Design: explore expectations of “safe” in context of OWASP? 3rd party testing? 5 star crash testing?Design: risks outweigh the benefits could be worked but could be tricky. The BlueTooth stack on insulin pump over MUCH safer direct wireDesign defects occur where the product design is inherently dangerous or useless (and hence defective) no matter how carefully manufactured; this may be demonstrated either by showing that the product fails to satisfy ordinary consumer expectations as to what constitutes a safe product, or that the risks of the product outweigh its benefits.
  • Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  • Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  • Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  • Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  • Warranties are statements by a manufacturer or seller concerning a product during a commercial transaction. Breach of warranty-based product liability claims usually focus on one of three types: breach of an express warrantybreach of an implied warranty of merchantabilitybreach of an implied warranty of fitness for a particular purpose.
  • Physical injury is the keen focus of the cavalry as we hone down the scopeLemon Laws made need exploration later as signaling to overcome Info Asymmetry and suboptimal outcomes for “both/all” parties Many states have enacted consumer protection statutes providing for specific remedies for a variety of product defects. Statutory remedies are often provided for defects which merely render the product unusable (and hence cause economic injury) but do not cause physical injury or damage to other property; the "economic loss rule" means that strict liability is generally unavailable for products that damage only themselves. The best known examples of consumer protection laws for product defects are lemon laws, which became widespread because automobiles are often an American citizen's second-largest investment after buying a home.
  • The National Highway Traffic Safety Administration (NHTSA) ultimately directed Ford to recall the Pinto.
  • Documentary on this called Hot CoffeeFree refills of coffee were offered and it was decided to make it so hot so they couldn’t drink it fast enough to need refills.
  • http://www.smh.com.au/small-business/managing/kitchen-nightmares-roaches-rats-and-bandaids-20110811-1inte.html
  • The marketers of Sensa, a weight-loss powder sprinkled on food, will pay $26.5 million to settle agency charges that the company made unfounded weight-loss claims and used misleading endorsements
  • When products do not work as expected, orgs are expected to make it right, in terms of recalls and correcting as their cost, not to the consumer
  • When products do not work as expected, orgs are expected to make it right, in terms of recalls and correcting as their cost, not to the consumerHow would it be if a car company said support was EOL? No more recalls / fixes
  • Fair amount of discussion on this topic with two extreme sidesRSA debate: http://www.youtube.com/watch?v=5rSScJinPoQ (The goal was to solve and resolve this issues once and for all)
  • There are lots of ideas here, this isn’t a straight forward issuesLots of complexity, however, we are going to highlight a few of the points most frequently used as reason it is a bad idea.
  • http://www.smh.com.au/small-business/managing/kitchen-nightmares-roaches-rats-and-bandaids-20110811-1inte.html
  • ExSqueeze me?! Baking Powder? – I’ll have to hear your case.Just listing the responses to improving security
  • This chart needs updating. It isn’t current unfortunately.
  • JOSH: I’ve done recent keynotes on a lot of this (and the next section of changing landscape). I can flesh this out.
  • http://blogs.telegraph.co.uk/news/danielhannan/100095953/news-of-the-world-closed-by-market-forces-the-system-works/
  • http://asrs.arc.nasa.gov/images/logo.jpg
  • SOURCE:http://www.youtube.com/watch?v=hXC9FI1nAqsMight not be the best pne, but had a good visual to screen shot.Basic point is:Destruction is notstimulative. Hidden costs/impacts and Opportunity Costs
  • Image from http://www.davenussbaum.com/adapting-to-change/
  • Image from http://www.davenussbaum.com/adapting-to-change/
  • Image from http://www.davenussbaum.com/adapting-to-change/
  • Everyone knows the Target data breach. It was a PoS system that was hacked. Was is really Target’s fault? Target’s U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence. We know Target is going to pay.
  • Target Rolling out Retalix in place of home grown system. It advertises its product as “Enhanced security and manageability via comprehensive and flexible access and authorization control” If the breach occurred and it was Retalix security issue… who pays?
  • We need to help shape it now and stop saying it isn't a good solution
  • http://asrs.arc.nasa.gov
  • http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  • http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/http://blog.risk.io/2013/08/stop-fixing-all-the-things-bsideslv/See also the Dan Geer & Mike Roytman USENIX White Paper on this:https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf
  • http://ad-challenger.blogspot.com/2012/04/web-typography-coping-with-ele-font-in.html
  • http://www.iamthecavalry.org18m TEDx for the Cavalry “Swimming w/ Sharks: Security in the Internet of Things”http://www.youtube.com/watch?v=rZ6xoAtdF3ohttp://www.amazon.com/Geekonomics-Real-Insecure-Software-paperback/dp/0321735978
  • Software Liability?: The Worst Possible Idea (Except for all Others)

    1. 1. SESSION ID: Software Liability?: The Worst Possible Idea (Except For All Others) ASEC-F01 Jake Kouns Chief Information Security Officer Risk Based Security @jkouns Joshua Corman CTO Sonatype @joshcorman
    2. 2. #RSAC Worst quality image (except all others) 2
    3. 3. #RSAC Agenda  Why Liability? Why now?  Product Liability 101  Product Liability Implementation  Why NOT to have Product Liability for Software Vendors  Some Economics  What is Changing the Equation 3
    4. 4. #RSAC Triggers… 4
    5. 5. #RSAC
    6. 6. #RSAC ! $4f3 @ * $p33d 6
    7. 7. #RSAC Our Bodies 7
    8. 8. #RSAC 8
    9. 9. #RSAC In our homes
    10. 10. #RSAC
    11. 11. #RSAC
    12. 12. #RSAC Our Infrastructure 12
    13. 13. Product Liability
    14. 14. #RSAC Defined  Wikipedia definition:  Product liability is the area of law in which manufacturers, distributors, suppliers, retailers, and others who make products available to the public are held responsible for the injuries those products cause.  Although the word "product" has broad connotations, product liability as an area of law is traditionally limited to products in the form of tangible personal property.
    15. 15. #RSAC Manufacturing Defects
    16. 16. #RSAC Design Defects
    17. 17. #RSAC Failure To Warn
    18. 18. #RSAC Failure To Warn
    19. 19. #RSAC Failure To Warn
    20. 20. #RSAC Failure To Warn
    21. 21. #RSAC Breach of Warranty
    22. 22. #RSAC Consumer Protection
    23. 23. Product Liability Implementation
    24. 24. #RSAC Who knows the name of this car?
    25. 25. #RSAC Ford Pinto
    26. 26. #RSAC Ford Pinto (1971 – 1980)  Allegations that the Pinto's structural design allowed its fuel tank filler neck to break off and the fuel tank to be punctured in a rear-end collision, resulting in deadly fires from spilled fuel.  27 deaths were attributed to Pinto fires.  According to a 1977 Mother Jones article by Mark Dowie, Ford allegedly was aware of the design flaw, refused to pay for a redesign, and decided it would be cheaper to pay off possible lawsuits.
    27. 27. #RSAC Intended Value and Impact  Companies put a larger emphasis on prevention of issues  Companies put a larger emphasis on testing / precautions  Companies put a culture in place and don’t take unnecessary risks due to financial impact  Better risk management for the entire company  If a company becomes aware of an issue, they act quickly to correct
    28. 28. #RSAC Any issues with hot coffee?
    29. 29. #RSAC Very well known case!
    30. 30. #RSAC Liebeck v. McDonald’s Restaurants (1994)  Known as the McDonald's coffee case and the hot coffee lawsuit  A New Mexico civil jury awarded $2.86 million to plaintiff Stella Liebeck who had suffered third-degree burns in her pelvic region when she accidentally spilled hot coffee in her lap after purchasing it from a McDonald's restaurant.  Liebeck was hospitalized for eight days while she underwent skin grafting, followed by two years of medical treatment.
    31. 31. #RSAC When Product Liability Goes Wrong?  McDonald’s hot coffee is thought to be when legal system goes wrong!  Most actually don’t know the correct full story!  This is really a case of “Failure To Warn”  Documents obtained from McDonald's showed that from 1982 to 1992 the company had received more than 700 reports of people burned by McDonald's coffee  Varying degrees of severity, and had settled claims arising from scalding injuries for more than $500,000.  Questions were asked why was it so hot?
    32. 32. #RSAC Does this provide value to end consumers / users of the product? McDonald’s Coffee
    33. 33. #RSAC Restaurant Health Codes 33
    34. 34. #RSAC Deceptive Products 34
    35. 35. #RSAC Product Recalls  Consumer Products  appliances, clothing, electronic / electrical. furniture, household, children's products, lighting / lighter, outdoor, sports / exercise  Motor Vehicles and Tires  Child Safety Seats  Food and Medicine  Cosmetics and Environmental Products
    36. 36. #RSAC Software Product Recalls? When the product is marketed to be secure and it isn’t how do software vendors handle it? No more security patches of fixes for the product?
    37. 37. Product Liability for Software Vendors
    38. 38. #RSAC Software Liability  Software Liability: Our Saving Grace or Kiss of Death?  Debated by Marcus Ranum and Bruce Schneier at RSA 2012  At this point, the issue seems to be still unresolved  With most people being on the side that it is an awful idea
    39. 39. #RSAC Software Liability: Worst Idea  Josh: Insert the mind map
    40. 40. #RSAC Reason #1 - The Worst Possible Idea  Stifle Innovation  New features and ideas would be slow to market due to financials exposures  Fewer features  Slower time to market  Could hurt competitiveness and/or client satisfaction
    41. 41. #RSAC Reason #2 - The Worst Possible Idea  Barriers to Entry?  Could Hurt Small Businesses and Startups  Large enterprises would easily adjust to additional overhead, but cripple new and small businesses
    42. 42. #RSAC Reason #3 - The Worst Possible Idea  Economic Impacts  What does this mean to the economy? Potential for massive amount of money to change hands. The uncertainty alone makes it an awful idea.  “IT” and Software we/are HUGE parts of the US GDP (and growing faster)
    43. 43. #RSAC Reason #4 - The Worst Possible Idea  Vendor Impact  Companies unable to handle the cost  Raise prices  But this is specious for a few reasons:  True Costs and Least Cost Avoiders are more efficient for the system  Hidden Costs and Cost of Ownership changes must be factored
    44. 44. #RSAC Restaurant Health Codes 44
    45. 45. #RSAC Counters to: The Worst Possible Idea Food Safety Cars 1) Stifle Innovation Chef’s can’t innovate? Safety Differentiation 2) Barriers to Entry Good! Outstanding! 3) Economic Impact Doubtful Premium Pricing 4) Raise Prices/Exit Markets To avoid illness/disease? Free Market Demand
    46. 46. What’s Working To Influence Better Security Practices?
    47. 47. #RSAC What Are We Doing To Improve Security?  PCI/DSS*  SOX*  Market Forces*  Companies only pick secure software (if they care)  HHS/HITECH (regulatory fines)*  SEC*  FTC* *Debatable
    48. 48. #RSAC Software Vulnerabilities Over time 2013: 10,280 2012: 9,909 2011: 7,751 2010: 9,054 2009: 8,092 2008: 9,696 2007: 9,538 2006: 11,009 2005: 7,858
    49. 49. #RSAC Data Breaches Over Time Source: Risk Based Security - https://cyberriskanalytics.com
    50. 50. #RSAC Why Aren’t We Improving?  Complexity  Costs  No real impact to end consumer?  No real property or injury type issues?  People just don’t really care?
    51. 51. Some Economics 51
    52. 52. #RSAC On Free Market Forces…
    53. 53. #RSAC Information Asymmetry and Signaling Seller Knows Buyer Knows
    54. 54. #RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
    55. 55. #RSAC 0 10 20 30 40 50 60 70 80 90 100 Defensibility Index Goal Security++ Security Base Passing the Buck (and Cost)
    56. 56. #RSAC 0 10 20 30 40 50 60 70 80 90 100 Defensibility Index Goal Security++ Security Base Passing the Buck (and Cost)
    57. 57. #RSAC 0 10 20 30 40 50 60 70 80 90 100 Defensibility Index Goal Security++ Security Base Passing the Buck (and Cost)
    58. 58. #RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
    59. 59. #RSAC True Costs & Least Cost Avoiders: Downstream ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
    60. 60. #RSAC The Fallacy of Broken Windows 60
    61. 61. #RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
    62. 62. Where Do We Go From Here?
    63. 63. #RSAC The World Is Changing
    64. 64. #RSAC Reliance On Poor Software Poor software with security issues in the new Internet of Things world can now lead to: • Bodily Injury • Property Damage • Financial Harm
    65. 65. #RSAC Product Liability Is Already Here  Its not the software that hurts the people, it’s a component of a larger finished product, making it a product failure not just the software.  MacPherson v. Buick Motor Co., 217 N.Y. 382, 111 N.E. 1050 (1916)  Donald C. MacPherson was injured when one of the wooden wheels of his 1909 "Buick Runabout" collapsed  Buick Motor Company, had manufactured the vehicle, but not the wheel, which had been manufactured by another party but installed by defendant.  Software responsibility is going to be on final good manufacturer (no matter what) that is delivering the final product
    66. 66. #RSAC Product Liability Is Already Here  The important portion of the MacPherson opinion:  “If the nature of a thing is such that it is reasonably certain to place life and limb in peril when negligently made, it is then a thing of danger. Its nature gives warning of the consequence to be expected. If to the element of danger there is added knowledge that the thing will be used by persons other than the purchaser, and used without new tests, then, irrespective of contract, the manufacturer of this thing of danger is under a duty to make it carefully. That is as far as we need to go for the decision of this case . . . . If he is negligent, where danger is to be foreseen, a liability will follow”
    67. 67. #RSAC Software Part Of The Final Product
    68. 68. #RSAC Financial Liability For Data Breach Already Exists
    69. 69. #RSAC Financial Liability For Data Breach Already Exists “Enhanced security and manageability via comprehensive and flexible access and authorization control”
    70. 70. #RSAC Expansion Of Liability Is Likely Coming  Liability already exists due to a data breach  Currently on the company that had the breach regardless if it was the fault of a software product they purchased and expect security in place  Large companies can handle the costs, however, small businesses filing for bankruptcy  Doing everything right but the software they purchased with an expectation to be secure isn’t  Is this right?
    71. 71. #RSAC Not from Whole Cloth  UL for electronics  NTSB & ASRS for aviation  NHSTB? or NHTSA? for vehicles  FDA & DHS ICS-CERT for medical  FCC for “radio controlled”  FTC for enforcement  SEC for publically traded  Consumer Reports?
    72. 72. #RSAC Taking Care: Incentives Incentivize (Perversely)  Let’s NOT recreate PCI DSS  Outcomes over Inputs (Control Objectives over Controls)  Visibility to support Free Market Forces and Choice  Filter on “With the potential to affect human life and public safety”  Due Care / Negligence / Reasonability  Software must be “Patchable”  HDMoore’s Law (and/or OWASP Top 10?)  We had better know what we really want to incentivize…
    73. 73. #RSAC Yes… HDMoore’s Law (Bellis & Roytman [&Geer]) 73 “Punchline: Using CVSS to steer remediation is nuts, ineffective, deeply diseconomic, and knee jerk; given the availability of data it is also passe’, which we will now demonstrate.” -Geer/Roytman
    74. 74. #RSAC How Could Software Liability Work?  Not be prescriptive on what needs to be done / security implement  Allow for the concept of liability to exist in software world  Not just for tangible products  Not just for Bodily Injury / Property Damage  Ensure security is not the last items on the priority list (new features FTW)
    75. 75. #RSAC The EULA Elephant in the Room…  EULAs may be the primary obstacle  These 1 sided contracts cannot be overlooked  EULA Reform may be close  E.g. No more than 1 page of plain speak
    76. 76. #RSAC Things you can do  Investigate/Join “The Cavalry” @iamthecavalry  Public Safety & Human Life  Watch  Hot Coffee  Reading:  Geekonomics by David Rice  Therac-25 History 76
    77. 77. Discussion!
    78. 78. SESSION ID: Software Liability?: The Worst Possible Idea (Except for all Others) ASEC-F01 Jake Kouns Chief Information Security Officer Risk Based Security @jkouns Joshua Corman CTO Sonatype @joshcorman

    ×