Adam Shostack's keynote from Appsec PNW 2023, explaining lessons we can learn from bridge engineering as the US adds a Cyber Safety Review Board and software liability.

1. From Tacoma Narrows
to West Seattle…
Lessons from A Century of
Pacific Northwest Bridge Failures
Adam Shostack
Appsec PNW 2023

2. 1940 to 2020

3. About Adam Shostack
(Only representing S+A today)

4. Outline
• Bridges
• Incidents
• Investigations
• Liability
• Software

5. Bridges
• Laws of physics
• Unchanged but… engineering advanced
• Materials costs dominate
• Investigations
• Liability
• Formal + informal

6. Engineering transformation
• Large bridges are not new
• Compressing stone scales well
• Rope suspension bridges around the world
• Iron
• 1779: wrought iron first used for a full bridge
• 1850s: large scale use
• Later: steel, carbon fiber
• Each transformation required experimentation

7. Materials cost dominated
Bridges are very large, heavy objects

8. Example: George Washington Bridge (NY)
• Completed in 1931
• Longest main bridge span until Golden Gate (1937)
• At construction
• 103,000 tons of fabricated steel
• 25,000 tons of wire (106,000 miles!)
• 18,000 tons of masonry
• $59.5 m 1931 dollars (~$1.2 B 2023)

9. 1930s Bridges
George Washington Golden Gate Bronx-Whitestone Tacoma Narrows
Completion 1931 1937 1939 1940
Center span (feet) 3500 4200 2300 2800
Girder depth (feet) 29 25 11 8
Wind truss width 106 90 74 39
Ratio depth:length
(Girder/center span) 1:120 1:168 1:209 1:350
Ratio (Width:length) 1:33 1:47 1:31 1:72
Cost $59.5 m $35 m $19.7 m $6.4 m
From Hobbs, Catastrophe to Triumph,
WSU Press (2006)

10. Bridge failures are obvious
• Formal liability
• Civil
• Criminal
• Informal results
• Reputational
• Professional judgement

12. Investigations
• External — outside the control of the builder
• Often seek to assign criminal or civil liability
• Adversarial
Excerpt from Leveson (2004)

13. Bridges vs software
Bridges
• Laws of physics
• Materials costs dominate
• Investigations
• Liability
Software
• Teaching sand new tricks
• Thinking cost dominates
• Cyber Safety Review Board (2022)
• US National Strategy (2023)

14. Software incident retros
• Currently run by companies,
filtered by PR
• Compare/contrast
• Operational incidents
• Security incidents

15. Cyber Safety Review Board (2022)
• Created by Executive Order on Improving the Nation’s Cybersecurity
• 30 years of calls for “an NTSB for software”
• Culminated in a NSF-funded workshop
• //shostack.org/resources/lessons

16. Authors: Robert Knake, Adam Shostack, Tarah Wheeler, Nov. 12, 2021

17. Liability

18. Intuition
• Politicians demonizing “big tech”
• Massive profits at FAANG

20. Software Liability (history)
• Legislative carve outs for software in the 60s/70s
• “No warranty…”
• …
• FTC Start with Security (2010s)
• California, 2016 not implementing CIS top 20 “constitutes a lack
of reasonable security.”

21. Liability (today)
• US National Cybersecurity Strategy
• “Software makers are able to leverage their market position to fully disclaim
liability by contract, further reducing their incentive to follow secure-by-design
principles or perform pre-release testing…” (pg 20)
• Shifting the Balance.. Principles for Security by Design from CISA+10
• FDA’s Refuse to Accept
• State laws (NY DFS, CCPA, WA My Health My Data)

22. Regulation and prescriptiveness
• Regulation is accompanied by prescriptive guidance
• Follow the rules and you’ll be ok (IANAL)
• Examples:
• Building codes specify wire gauge for given # amps, sockets every 6
feet...
• There are rules for driving and a test
• Recklessness as a backstop

24. Specifics are good, right?
• Will liability backfire?
• Hide more incidents
• Hard to be 100%
• Cybersecurity frameworks are expansive, flexible
• Risk management escape hatch?
• What if you’re not 100% on NIST CSF, NYDFS, PCI…
• Are you more liable?
• What’s the acceptable bar for appsec?

25. Sample issues: Which “should” be liabile?
• Sample issues help us form thoughtful judgement
• Vulnerabilities
• Motherboards from Gigabyte insecurely download, run updates
(Eclypsium/Andy Greenberg in Wired, May 31, “Firmware backdoor”)
• Extracting audio from photographs
• Design
• Gear bought in 2010 running on Windows XP
• Gear designed in 2010 running on Windows XP
• (Win 7 was released 2009, XP end of life 2014)

26. Liability and open source
• Assigning liability to open source developers is clearly a bad
idea
• Open source is clearly an economic good
• Code as speech limits liability
• US National strategy:
• “Responsibility must be placed on the stakeholders most capable of taking
action to prevent bad outcomes, not on … the open-source developer of a
component...”
• “Final goods assembly”
• EU’s Cyber Resilience Act is more worrisome
• See Bert Hubert, //berthub.eu

27. Liability — a likely path (USA)
• Safe harbor for
• Those doing the right things (memory safety, threat modeling)
• Not doing the wrong things (shipping with known vulns)
• Open source developers (previous slide)
• Workshop and assembling of knowledge
• Defining the role of professional judgement

28. Change on the order of agile, cloud?
• Investigations, liability are a huge shift
• US, EU proceeding differently
• Investigations, liability might have prevented agile +/or cloud

29. Appsec
engineering
transformations

30. Jan, 2022
IEEE Security + Privacy
1996
Fidelity internal +
anonymous release
Jan, 2002
Securityfocus.com

31. Appsec transformations over 25 years
• SDL/SSDF becoming mainstream, required
• Platform improvements (languages, runtimes, tools)
• Skills for the few augmented by broadly held skills
• How do we achieve this?
• Similar to “the pipeline problem”, but different

33. Ideas underlying Threats
• There are aspects of security every engineer should know
• This will be a massive shift
• Threats are a good lens, because ‘what can go wrong’ motivates
security features + properties in design
• See “A Fully Trained Jedi” (Blackhat) talk for more

34. Inflection point
• Combination of disclosure and liability
• Gates Trustworthy Computing Memo

35. There is no fate but what we
make for ourselves
The future is not set.
— Sarah Connor/
Kyle Reese
There is no fate but
what we make.

36. Thank you!

37. Questions?
Now or
adam@shostack.org

38. References/Acks
• //Shostack.org/resources/lessons
• //berthub.eu
• GW Bridge photo, Juli Tejera
https://www.flickr.com/photos/134732149@N02/46765441525/
• Tay bridge remnants, Bruce Galloway
https://www.flickr.com/photos/jbg06003/22828988238/
• Books:
– Petroski, Engineers of Dreams
– Leveson, Engineering a Safer World
– Hobbs, Catastrophe to Triumph

39. abstract
The Pacific Northwest has an abundance of bridges, and most of them
seem to stand up well over the years, with notable exceptions and
problems. What can software learn from them? More importantly, the
software world is shifting to more transparency and
liability. Transparency is coming not only from the normalization of
breach notification and learning from incidents, but also with the
newly introduced CSRB. Liability is coming not only as part of the US
National Strategy, but from a plethora of more local regulation. What
does it mean for appsec practitioners, our employers and the open
source projects we work on?