Regulating Secure Software Development Analysing the Potential Regulatory Solutions for the Lack of Security in Software

Regulating Secure Software Development Analysing the Potential Regulatory Solutions for the Lack of Security in Software

Jari Råman Regulating Secure Software Development Analysing the potential regulatory solutions for the lack of security in software Academic Dissertation to be presented, with the permission of the Faculty of Law of the University of Lapland, for public discussion in Auditorium 2, Yliopistonkatu 8, Rovaniemi, on May 26th, 2006, at 12 o´clock. Acta Electronica Universitatis Lapponiensis 1 University of Lapland Faculty of Law Copyright: Jari Råman Distributor: Lapland University Press P.O. Box 8123 FI-96101 Rovaniemi tel. + 358 16 341 2924, fax + 358 16 341 2933 [email protected] www.ulapland.fi/publications Paperback ISBN 952-484-034-0 ISSN 0788-7604 PDF ISBN 952-484-053-7 ISSN 1796-6310 www.ulapland.fi/unipub Preface V ”…if a person can’t feel safe, he can never be free…” (ADA Richard Bay in the drama series “The Practice”, Season 4: Episode 14 – “Checkmates”) Preface This is what an assistant district attorney (ADA) told to a colleague about the role of prosecutors in order to cheer her up after losing another case to a devious defence counsel. Who said that watching courtroom drama, especially American series, is a waste of time; that they do not teach anything about lawyers’ work in continental law countries? Well... Maybe they do not, but this prosecutor certainly understood a part of the essence of freedom and safety and I got to spend amusing moments in front of a TV. This ADA was talking about personal safety, but the same statement is true also for security in general. In the era of Internet and the discussion of its inherent freedom, this really is a crucial statement. If we want to preserve at least some of the former imagined liberty of the Internet its time to take its security seriously. But it is also said that they that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. At first look these arguments seem contradictory. In fact, they are not. It is true that if you live in constant fear, you will not be able to enjoy the freedom you have. Likewise, if you give a way part of your liberty to obtain safety, you will end up with neither of them. The issue is about balance. These arguments are certainly true in the tangible world where we live in, but they are true also for the networked society and the virtual worlds. This is a legal scientist journey into security in the networked world. This really is a journey . One which I originally took with another destination in mind. To be honest, this is not the thesis I intended to make . It started out as a study of the role of information security in the central tenets of the constitutional state and the system of basic rights together with the place of information VI Regulating Secure Software Development security among central legal principles. If anything, in western constitutional democracies we build liberty by setting society upon a certain constitution to deal with the balancing. As I proceeded, I started doubting the usefulness of such an approach to other than lawyers in constitutional states like the Finnish; to also whom it is only of limited theoretical interest. While trying to understand to role of the constitutional rights arguments I faced the role of the coherence argument of law and noticed the line between the internal and external perspectives on law. Then something peculiar occurred; the law seemed to hamper the information security research and practice on many occasions, the one it was supposed to be enhancing. At the same time another interesting problem occurred. The ‘law’ and the legislator seemed to assume that the underlaying infrastructure and the components used therein are secure. Many of the legal provisions on transactions, contracting and on the use of constitutional rights in the networks in general seemed to build on this assumption. At the same time the infrastructure of the network society was widely recognised to be insecure by the information security community. This puzzled me so much that I had to go deeper. I wanted to understand why. Being a young and inexperienced researcher I threw myself headlong on the issue. What started out as a research at the very core of legal scholarship, legal and especially constitutional theory, turned out to study the fringes of the law. This is the outcome of that journey; an odyssey one might say. So much for my discipline... (Un)fortunately, this still is somewhat visible in the text. Before I can rejoin the original path with the wisdom, especially of the law, gathered during the many encounters on my journey of exploration, or make another one, the time has come to give thanks. My supervisor, Professor Ahti Saarenpää , deserves my gratitude above all for the academic freedom and encouragement. The high scholarly example you set forced me to do my best. Dissertation examiners Professor Kauko Wikström from the Preface VII University of Turku and Professor Gerald Quirchmayr from the University of Vienna made valuable comments to draft versions. I have taken most of them into account. Professor Quirchmayr kindly agreed to act as the academic opponent at the public defence. The odyssey would not have been the same if I had not come in contact with information security researchers from the Department of Information Processing Science at the University of Oulu and from the Oulu University Secure Programming Group. The former gave me an understanding of what information security is really all about. The latter not only acquainted me with the life of a bug, but also gave me a glimpse of what academic group work can be at its best. The research could not have been possible without financial support. The project Scarcity of Justice funded by the Academy of Finland gave me the original possibility to learn to know myself as a researcher and to make the initial wonderings in the dark. I am obliged to the Institute for Law and Informatics at the Faculty of Law. A thankyou goes also to the Rector of the University of Lapland and the Finnish Lawyers’ Association. At the final stages the Faculty of Law gave me a position as an assistant in legal informatics. I was able to finalise my thesis without overly burdensome administrative tasks largely due to the understanding of the acting professor Rauno Korhonen . Friends have really made the journey. A warm thankyou goes to Annamari, Anu and Pekka for just being yourselves. Thanks also to my parents Tuula and Kyösti, to my siblings Hanna , Henri and Petri , and to friends, relatives and colleagues not especially mentioned. Words are not enough for my nearest and dearest Mervi, Sofia and Selina . Rovaniemi, May 2006 Jari Råman VIII Regulating Secure Software Development Contents IX Contents Preface ............................................V Contents ...........................................IX References ........................................ XII List of Abbreviations ............................... LII 1 Introduction .......................................1 1.1 Seeing through a conceptual muddle . 6 1.2 Qualification of modes of software and information system . 9 1.3 Security and/or quality – or something in the between? ...................... 19 1.4 What is regulation? ........................... 25 1.5 Two combined perspectives into the study of regulation . 37 1.6 Research questions, purpose and contribution . 41 1.7 Of method and material ....................... 47 2 Understanding secure software development ......... 67 2.1 The network economic environment . 72 2.2 Time-to-market and security . 76 2.3 Remarks on maintenance and testing . 82 2.4 Appeal to developers and security . 89 2.5 Security and lock-in........................... 90 2.6 Failure of private motivation? . 95 2.7 Information security as an externality . 103 2.8 Inadequacies in the distribution of security-related information . 115 2.9 Asymmetry of security related information . 124 X Regulating Secure Software Development 3 The way regulation affects behaviour ............... 139 3.1 By providing reasons for action . 140 3.2 As internal influence ........................ 153 3.3 As external constraint ....................... 163 3.3.1 Different classifications with a common background assumption . 167 3.3.2 Attaching specific external influence mechanisms to instrument types . 175 3.4 Packaging influence mechanisms - the interaction of instruments . 199 3.5 Classifications of regulators and their objects . 205 3.6 A methodological aside – on the role of law in regulation . 211 4 Harnessing social norms: disclosure of vulnerability information ................ 223 4.1 Who regulates? ............................. 232 4.2 Influence mechanism ........................ 234 4.3 Factors shaping the influence . 243 4.3.1 Objectives .......................... 243 4.3.2 Substance ........................... 245 4.3.3 Implementation ...................... 254 4.3.4 Reactions of objects .................. 283 5 Using prescriptive rules: software product liability . 291 5.1 Who regulates ? ............................ 303 5.2 Influence mechanism ........................ 306 5.3 Factors shaping the influence . 326 5.3.1 Objectives .......................... 326 5.3.2 Substance ........................... 334 5.3.3 Implementation ...................... 378 5.1.4 Reaction of objects.................... 398 Contents XI 6 Conclusions ..................................... 409 6.1 Improving the influencing capacity of software product liability rules . 415 6.3 The way forward ........................... 461 Epilogue: value protection and decentred

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    538 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us