software liability?: the worst possible idea (except for ... · software liability?: the worst...
TRANSCRIPT
![Page 1: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/1.jpg)
Software Liability?: The Worst Possible Idea (Except for all Others)
Jake Kouns Chief Information Security Officer Risk Based Security @jkouns
Joshua Corman CTO Sonatype @joshcorman
![Page 2: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/2.jpg)
© 2014 EMC Corporation. All rights reserved. 2
Worst quality image (except all others)
2
![Page 3: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/3.jpg)
© 2014 EMC Corporation. All rights reserved. 3
Agenda
• Why Liability? Why now? • Product Liability 101 • Product Liability Implementation • Why NOT to have Product Liability for Software
Vendors • Some Economics • What is Changing the Equation
3
![Page 4: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/4.jpg)
© 2014 EMC Corporation. All rights reserved. 4
Triggers…
4
![Page 5: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/5.jpg)
© 2014 EMC Corporation. All rights reserved. 5
![Page 6: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/6.jpg)
© 2014 EMC Corporation. All rights reserved. 6
! $4f3 @ * $p33d
6
![Page 7: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/7.jpg)
© 2014 EMC Corporation. All rights reserved. 7
Our Bodies
7
![Page 8: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/8.jpg)
© 2014 EMC Corporation. All rights reserved. 8 8
![Page 9: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/9.jpg)
© 2014 EMC Corporation. All rights reserved. 9
In our homes
![Page 10: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/10.jpg)
© 2014 EMC Corporation. All rights reserved. 10
![Page 11: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/11.jpg)
© 2014 EMC Corporation. All rights reserved. 11
![Page 12: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/12.jpg)
© 2014 EMC Corporation. All rights reserved. 12
Our Infrastructure
12
![Page 13: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/13.jpg)
Product Liability
![Page 14: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/14.jpg)
© 2014 EMC Corporation. All rights reserved. 14
Defined
• Wikipedia definition: – Product liability is the area of law in which manufacturers,
distributors, suppliers, retailers, and others who make products available to the public are held responsible for the injuries those products cause.
– Although the word "product" has broad connotations, product liability as an area of law is traditionally limited to products in the form of tangible personal property.
![Page 15: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/15.jpg)
© 2014 EMC Corporation. All rights reserved. 15
Manufacturing Defects
![Page 16: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/16.jpg)
© 2014 EMC Corporation. All rights reserved. 16
Design Defects
![Page 17: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/17.jpg)
© 2014 EMC Corporation. All rights reserved. 17
Failure To Warn
![Page 18: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/18.jpg)
© 2014 EMC Corporation. All rights reserved. 18
Failure To Warn
![Page 19: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/19.jpg)
© 2014 EMC Corporation. All rights reserved. 19
Failure To Warn
![Page 20: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/20.jpg)
© 2014 EMC Corporation. All rights reserved. 20
Failure To Warn
![Page 21: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/21.jpg)
© 2014 EMC Corporation. All rights reserved. 21
Breach of Warranty
![Page 22: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/22.jpg)
© 2014 EMC Corporation. All rights reserved. 22
Consumer Protection
![Page 23: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/23.jpg)
Product Liability Implementation
![Page 24: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/24.jpg)
© 2014 EMC Corporation. All rights reserved. 24
Who knows the name of this car?
![Page 25: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/25.jpg)
© 2014 EMC Corporation. All rights reserved. 25
Ford Pinto
![Page 26: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/26.jpg)
© 2014 EMC Corporation. All rights reserved. 26
Ford Pinto (1971 – 1980)
• Allegations that the Pinto's structural design allowed its fuel tank filler neck to break off and the fuel tank to be punctured in a rear-end collision, resulting in deadly fires from spilled fuel.
• 27 deaths were attributed to Pinto fires. • According to a 1977 Mother Jones article by Mark Dowie,
Ford allegedly was aware of the design flaw, refused to pay for a redesign, and decided it would be cheaper to pay off possible lawsuits.
![Page 27: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/27.jpg)
© 2014 EMC Corporation. All rights reserved. 27
Ford Pinto (1971 – 1980)
• Allegations that the Pinto's structural design allowed its fuel tank filler neck to break off and the fuel tank to be punctured in a rear-end collision, resulting in deadly fires from spilled fuel.
• 27 deaths were attributed to Pinto fires. • According to a 1977 Mother Jones article by Mark Dowie,
Ford allegedly was aware of the design flaw, refused to pay for a redesign, and decided it would be cheaper to pay off possible lawsuits.
![Page 28: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/28.jpg)
© 2014 EMC Corporation. All rights reserved. 28
Intended Value and Impact
• Companies put a larger emphasis on prevention of issues • Companies put a larger emphasis on testing / precautions • Companies put a culture in place and don’t take unnecessary
risks due to financial impact • Better risk management for the entire company • If a company becomes aware of an issue, they act quickly to
correct
![Page 29: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/29.jpg)
© 2014 EMC Corporation. All rights reserved. 29
Any issues with hot coffee?
![Page 30: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/30.jpg)
© 2014 EMC Corporation. All rights reserved. 30
Very well known case!
![Page 31: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/31.jpg)
© 2014 EMC Corporation. All rights reserved. 31
Liebeck v. McDonald’s Restaurants (1994)
• Known as the McDonald's coffee case and the hot coffee lawsuit
• A New Mexico civil jury awarded $2.86 million to plaintiff Stella Liebeck who had suffered third-degree burns in her pelvic region when she accidentally spilled hot coffee in her lap after purchasing it from a McDonald's restaurant.
• Liebeck was hospitalized for eight days while she underwent skin grafting, followed by two years of medical treatment.
![Page 32: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/32.jpg)
© 2014 EMC Corporation. All rights reserved. 32
When Product Liability Goes Wrong?
• McDonald’s hot coffee is thought to be when legal system goes wrong!
• Most actually don’t know the correct full story! • This is really a case of “Failure To Warn”
• Documents obtained from McDonald's showed that from 1982 to 1992 the company had received more than 700 reports of people burned by McDonald's coffee
• Varying degrees of severity, and had settled claims arising from scalding injuries for more than $500,000.
• Questions were asked why was it so hot?
![Page 33: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/33.jpg)
© 2014 EMC Corporation. All rights reserved. 33
Does this provide value to end consumers / users of the product? McDonald’s Coffee
![Page 34: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/34.jpg)
© 2014 EMC Corporation. All rights reserved. 34
Restaurant Health Codes
34
![Page 35: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/35.jpg)
© 2014 EMC Corporation. All rights reserved. 35
Deceptive Products
35
![Page 36: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/36.jpg)
© 2014 EMC Corporation. All rights reserved. 36
Product Recalls
• Consumer Products – appliances, clothing, electronic /
electrical. furniture, household, children's products, lighting / lighter, outdoor, sports / exercise
• Motor Vehicles and Tires • Child Safety Seats • Food and Medicine • Cosmetics and Environmental Products
![Page 37: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/37.jpg)
© 2014 EMC Corporation. All rights reserved. 37
Software Product Recalls?
When the product is marketed to be secure and it isn’t how do software vendors handle it?
No more security patches of fixes for the product?
![Page 38: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/38.jpg)
Product Liability for Software Vendors
![Page 39: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/39.jpg)
© 2014 EMC Corporation. All rights reserved. 39
Software Liability
• Software Liability: Our Saving Grace or Kiss of Death? – Debated by Marcus Ranum and Bruce Schneier at RSA
2012 • At this point, the issue seems to be still unresolved
– With most people being on the side that it is an awful idea
![Page 40: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/40.jpg)
© 2014 EMC Corporation. All rights reserved. 40
Software Liability
• Software Liability: Our Saving Grace or Kiss of Death? – Debated by Marcus Ranum and Bruce Schneier at RSA
2012 • At this point, the issue seems to be still unresolved
– With most people being on the side that it is an awful idea
![Page 41: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/41.jpg)
© 2014 EMC Corporation. All rights reserved. 41
Software Liability: Worst Idea
• Josh: Insert the mind map
![Page 42: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/42.jpg)
© 2014 EMC Corporation. All rights reserved. 42
Reason #1 - The Worst Possible Idea
• Stifle Innovation – New features and ideas would be slow to market due to
financials exposures
– Fewer features
– Slower time to market
– Could hurt competitiveness and/or client satisfaction
![Page 43: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/43.jpg)
© 2014 EMC Corporation. All rights reserved. 43
Reason #2 - The Worst Possible Idea
• Barriers to Entry? – Could Hurt Small Businesses and Startups
– Large enterprises would easily adjust to additional overhead, but cripple new and small businesses
![Page 44: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/44.jpg)
© 2014 EMC Corporation. All rights reserved. 44
Reason #3 - The Worst Possible Idea
• Economic Impacts – What does this mean to the economy? Potential for massive
amount of money to change hands. The uncertainty alone makes it an awful idea.
– “IT” and Software we/are HUGE parts of the US GDP (and growing faster)
![Page 45: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/45.jpg)
© 2014 EMC Corporation. All rights reserved. 45
Reason #4 - The Worst Possible Idea
• Vendor Impact – Companies unable to handle the cost
– Raise prices • But this is specious for a few reasons:
– True Costs and Least Cost Avoiders are more efficient for the system
– Hidden Costs and Cost of Ownership changes must be factored
![Page 46: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/46.jpg)
© 2014 EMC Corporation. All rights reserved. 46
Restaurant Health Codes
46
![Page 47: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/47.jpg)
© 2014 EMC Corporation. All rights reserved. 47
Counters to: The Worst Possible Idea
Food Safety Cars
1) Stifle Innovation Chef’s can’t innovate? Safety Differentiation
2) Barriers to Entry Good! Outstanding!
3) Economic Impact Doubtful Premium Pricing
4) Raise Prices/Exit Markets
To avoid illness/disease?
Free Market Demand
![Page 48: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/48.jpg)
What’s Working To Influence Better Security Practices?
![Page 49: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/49.jpg)
© 2014 EMC Corporation. All rights reserved. 49
What Are We Doing To Improve Security?
• PCI/DSS* • SOX* • Market Forces*
– Companies only pick secure software (if they care) • HHS/HITECH (regulatory fines)* • SEC* • FTC*
*Debatable
![Page 50: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/50.jpg)
© 2014 EMC Corporation. All rights reserved. 50
Software Vulnerabilities Over time
2013: 10,280 2012: 9,909 2011: 7,751 2010: 9,054 2009: 8,092 2008: 9,696 2007: 9,538 2006: 11,009 2005: 7,858
![Page 51: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/51.jpg)
© 2014 EMC Corporation. All rights reserved. 51
Data Breaches Over Time
Source: Risk Based Security - https://cyberriskanalytics.com
![Page 52: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/52.jpg)
© 2014 EMC Corporation. All rights reserved. 52
Why Aren’t We Improving?
• Complexity • Costs • No real impact to end consumer? • No real property or injury type issues? • People just don’t really care?
![Page 53: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/53.jpg)
Some Economics
53
![Page 54: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/54.jpg)
© 2014 EMC Corporation. All rights reserved. 54
On Free Market Forces…
![Page 55: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/55.jpg)
© 2014 EMC Corporation. All rights reserved. 55
Information Asymmetry and Signaling
Seller Knows
Buyer Knows
![Page 56: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/56.jpg)
© 2014 EMC Corporation. All rights reserved. 56
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
![Page 57: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/57.jpg)
© 2014 EMC Corporation. All rights reserved. 57
0
10
20
30
40
50
60
70
80
90
100
Defensibility Index
Goal
Security++
Security
Base
Passing the Buck (and Cost)
![Page 58: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/58.jpg)
© 2014 EMC Corporation. All rights reserved. 58
0
10
20
30
40
50
60
70
80
90
100
Defensibility Index
Goal
Security++
Security
Base
Passing the Buck (and Cost)
![Page 59: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/59.jpg)
© 2014 EMC Corporation. All rights reserved. 59
0
10
20
30
40
50
60
70
80
90
100
Defensibility Index
Goal
Security++
Security
Base
Passing the Buck (and Cost)
![Page 60: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/60.jpg)
© 2014 EMC Corporation. All rights reserved. 60
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
![Page 61: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/61.jpg)
© 2014 EMC Corporation. All rights reserved. 61
True Costs & Least Cost Avoiders: Downstream
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
![Page 62: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/62.jpg)
© 2014 EMC Corporation. All rights reserved. 62
The Fallacy of Broken Windows
62
![Page 63: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/63.jpg)
© 2014 EMC Corporation. All rights reserved. 63
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
$100 $110
![Page 64: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/64.jpg)
Where Do We Go From Here?
![Page 65: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/65.jpg)
© 2014 EMC Corporation. All rights reserved. 65
The World Is Changing
![Page 66: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/66.jpg)
© 2014 EMC Corporation. All rights reserved. 66
Reliance On Poor Software
Poor software with security issues in the new Internet of Things world can now lead to: • Bodily Injury • Property Damage • Financial Harm
![Page 67: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/67.jpg)
© 2014 EMC Corporation. All rights reserved. 67
Product Liability Is Already Here
• Its not the software that hurts the people, it’s a component of a larger finished product, making it a product failure not just the software.
• MacPherson v. Buick Motor Co., 217 N.Y. 382, 111 N.E. 1050 (1916) – Donald C. MacPherson was injured when one of the wooden wheels of his
1909 "Buick Runabout" collapsed – Buick Motor Company, had manufactured the vehicle, but not the wheel, which
had been manufactured by another party but installed by defendant. • Software responsibility is going to be on final good manufacturer (no
matter what) that is delivering the final product
![Page 68: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/68.jpg)
© 2014 EMC Corporation. All rights reserved. 68
Product Liability Is Already Here
• The important portion of the MacPherson opinion: – “If the nature of a thing is such that it is reasonably certain to
place life and limb in peril when negligently made, it is then a thing of danger. Its nature gives warning of the consequence to be expected. If to the element of danger there is added knowledge that the thing will be used by persons other than the purchaser, and used without new tests, then, irrespective of contract, the manufacturer of this thing of danger is under a duty to make it carefully. That is as far as we need to go for the decision of this case . . . . If he is negligent, where danger is to be foreseen, a liability will follow”
![Page 69: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/69.jpg)
© 2014 EMC Corporation. All rights reserved. 69
Software Part Of The Final Product
![Page 70: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/70.jpg)
© 2014 EMC Corporation. All rights reserved. 70
Financial Liability For Data Breach Already Exists
![Page 71: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/71.jpg)
© 2014 EMC Corporation. All rights reserved. 71
Financial Liability For Data Breach Already Exists
“Enhanced security and manageability via comprehensive and flexible access and authorization control”
![Page 72: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/72.jpg)
© 2014 EMC Corporation. All rights reserved. 72
Expansion Of Liability Is Likely Coming
• Liability already exists due to a data breach – Currently on the company that had the breach regardless if it was
the fault of a software product they purchased and expect security in place
• Large companies can handle the costs, however, small businesses filing for bankruptcy – Doing everything right but the software they purchased with an
expectation to be secure isn’t • Is this right?
![Page 73: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/73.jpg)
© 2014 EMC Corporation. All rights reserved. 73
Not from Whole Cloth
• UL for electronics • NTSB & ASRS for aviation • NHSTB? or NHTSA? for vehicles • FDA & DHS ICS-CERT for medical • FCC for “radio controlled” • FTC for enforcement • SEC for publically traded • Consumer Reports?
![Page 74: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/74.jpg)
© 2014 EMC Corporation. All rights reserved. 74
Taking Care: Incentives Incentivize (Perversely)
• Let’s NOT recreate PCI DSS – Outcomes over Inputs (Control Objectives over Controls)
– Visibility to support Free Market Forces and Choice • Filter on “With the potential to affect human life and public
safety” • Due Care / Negligence / Reasonability
– Software must be “Patchable”
– HDMoore’s Law (and/or OWASP Top 10?) • We had better know what we really want to incentivize…
![Page 75: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/75.jpg)
© 2014 EMC Corporation. All rights reserved. 75
Yes… HDMoore’s Law (Bellis & Roytman [&Geer])
75
“Punchline: Using CVSS to steer remediation is nuts, ineffective, deeply diseconomic, and knee jerk; given the availability of data it is also passe’, which we will now demonstrate.”
-Geer/Roytman
![Page 76: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/76.jpg)
© 2014 EMC Corporation. All rights reserved. 76
How Could Software Liability Work?
• Not be prescriptive on what needs to be done / security implement
• Allow for the concept of liability to exist in software world – Not just for tangible products
– Not just for Bodily Injury / Property Damage
• Ensure security is not the last items on the priority list (new features FTW)
![Page 77: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/77.jpg)
© 2014 EMC Corporation. All rights reserved. 77
The EULA Elephant in the Room…
• EULAs may be the primary obstacle
• These 1 sided contracts cannot be overlooked
• EULA Reform may be close – E.g. No more than 1 page of
plain speak
![Page 78: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/78.jpg)
© 2014 EMC Corporation. All rights reserved. 78
Things you can do
• Investigate/Join “The Cavalry” @iamthecavalry – Public Safety & Human Life
• Watch – Hot Coffee
• Reading: – Geekonomics by David Rice
– Therac-25 History
78
![Page 79: Software Liability?: The Worst Possible Idea (Except for ... · Software Liability?: The Worst Possible Idea (Except for all Others) Jake Kouns Chief Information Security Officer](https://reader034.vdocument.in/reader034/viewer/2022051922/600f7fd95a51c148fd5b64a0/html5/thumbnails/79.jpg)
Software Liability?: The Worst Possible Idea (Except for all Others)
Jake Kouns Chief Information Security Officer Risk Based Security @jkouns
Joshua Corman CTO Sonatype @joshcorman