SlideShare ist ein Scribd-Unternehmen logo

Software Liability?: The Worst Possible Idea (Except for all Others)

Als PPTX, PDF herunterladen
Sonatype
Sonatype

While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

Software
1 von 78
SESSION ID: Software Liability?: The Worst Possible Idea (Except For All Others) ASEC-F01 Jake Kouns Chief Information Security Officer Risk Based Security @jkouns Joshua Corman CTO Sonatype @joshcorman
#RSAC Worst quality image (except all others) 2
#RSAC Agenda  Why Liability? Why now?  Product Liability 101  Product Liability Implementation  Why NOT to have Product Liability for Software Vendors  Some Economics  What is Changing the Equation 3
#RSAC Triggers… 4
#RSAC
#RSAC ! $4f3 @ * $p33d 6
#RSAC Our Bodies 7
#RSAC 8
#RSAC In our homes
#RSAC
#RSAC
#RSAC Our Infrastructure 12
Product Liability
#RSAC Defined  Wikipedia definition:  Product liability is the area of law in which manufacturers, distributors, suppliers, retailers, and others who make products available to the public are held responsible for the injuries those products cause.  Although the word "product" has broad connotations, product liability as an area of law is traditionally limited to products in the form of tangible personal property.
#RSAC Manufacturing Defects
#RSAC Design Defects
#RSAC Failure To Warn
#RSAC Failure To Warn
#RSAC Failure To Warn
#RSAC Failure To Warn
#RSAC Breach of Warranty
#RSAC Consumer Protection
Product Liability Implementation
#RSAC Who knows the name of this car?
#RSAC Ford Pinto
#RSAC Ford Pinto (1971 – 1980)  Allegations that the Pinto's structural design allowed its fuel tank filler neck to break off and the fuel tank to be punctured in a rear-end collision, resulting in deadly fires from spilled fuel.  27 deaths were attributed to Pinto fires.  According to a 1977 Mother Jones article by Mark Dowie, Ford allegedly was aware of the design flaw, refused to pay for a redesign, and decided it would be cheaper to pay off possible lawsuits.
#RSAC Intended Value and Impact  Companies put a larger emphasis on prevention of issues  Companies put a larger emphasis on testing / precautions  Companies put a culture in place and don’t take unnecessary risks due to financial impact  Better risk management for the entire company  If a company becomes aware of an issue, they act quickly to correct
#RSAC Any issues with hot coffee?
#RSAC Very well known case!
#RSAC Liebeck v. McDonald’s Restaurants (1994)  Known as the McDonald's coffee case and the hot coffee lawsuit  A New Mexico civil jury awarded $2.86 million to plaintiff Stella Liebeck who had suffered third-degree burns in her pelvic region when she accidentally spilled hot coffee in her lap after purchasing it from a McDonald's restaurant.  Liebeck was hospitalized for eight days while she underwent skin grafting, followed by two years of medical treatment.
#RSAC When Product Liability Goes Wrong?  McDonald’s hot coffee is thought to be when legal system goes wrong!  Most actually don’t know the correct full story!  This is really a case of “Failure To Warn”  Documents obtained from McDonald's showed that from 1982 to 1992 the company had received more than 700 reports of people burned by McDonald's coffee  Varying degrees of severity, and had settled claims arising from scalding injuries for more than $500,000.  Questions were asked why was it so hot?
#RSAC Does this provide value to end consumers / users of the product? McDonald’s Coffee
#RSAC Restaurant Health Codes 33
#RSAC Deceptive Products 34
#RSAC Product Recalls  Consumer Products  appliances, clothing, electronic / electrical. furniture, household, children's products, lighting / lighter, outdoor, sports / exercise  Motor Vehicles and Tires  Child Safety Seats  Food and Medicine  Cosmetics and Environmental Products
#RSAC Software Product Recalls? When the product is marketed to be secure and it isn’t how do software vendors handle it? No more security patches of fixes for the product?
Product Liability for Software Vendors
#RSAC Software Liability  Software Liability: Our Saving Grace or Kiss of Death?  Debated by Marcus Ranum and Bruce Schneier at RSA 2012  At this point, the issue seems to be still unresolved  With most people being on the side that it is an awful idea
#RSAC Software Liability: Worst Idea  Josh: Insert the mind map
#RSAC Reason #1 - The Worst Possible Idea  Stifle Innovation  New features and ideas would be slow to market due to financials exposures  Fewer features  Slower time to market  Could hurt competitiveness and/or client satisfaction
#RSAC Reason #2 - The Worst Possible Idea  Barriers to Entry?  Could Hurt Small Businesses and Startups  Large enterprises would easily adjust to additional overhead, but cripple new and small businesses
#RSAC Reason #3 - The Worst Possible Idea  Economic Impacts  What does this mean to the economy? Potential for massive amount of money to change hands. The uncertainty alone makes it an awful idea.  “IT” and Software we/are HUGE parts of the US GDP (and growing faster)
#RSAC Reason #4 - The Worst Possible Idea  Vendor Impact  Companies unable to handle the cost  Raise prices  But this is specious for a few reasons:  True Costs and Least Cost Avoiders are more efficient for the system  Hidden Costs and Cost of Ownership changes must be factored
#RSAC Restaurant Health Codes 44
#RSAC Counters to: The Worst Possible Idea Food Safety Cars 1) Stifle Innovation Chef’s can’t innovate? Safety Differentiation 2) Barriers to Entry Good! Outstanding! 3) Economic Impact Doubtful Premium Pricing 4) Raise Prices/Exit Markets To avoid illness/disease? Free Market Demand
What’s Working To Influence Better Security Practices?
#RSAC What Are We Doing To Improve Security?  PCI/DSS*  SOX*  Market Forces*  Companies only pick secure software (if they care)  HHS/HITECH (regulatory fines)*  SEC*  FTC* *Debatable
#RSAC Software Vulnerabilities Over time 2013: 10,280 2012: 9,909 2011: 7,751 2010: 9,054 2009: 8,092 2008: 9,696 2007: 9,538 2006: 11,009 2005: 7,858
#RSAC Data Breaches Over Time Source: Risk Based Security - https://cyberriskanalytics.com
#RSAC Why Aren’t We Improving?  Complexity  Costs  No real impact to end consumer?  No real property or injury type issues?  People just don’t really care?
Some Economics 51
#RSAC On Free Market Forces…
#RSAC Information Asymmetry and Signaling Seller Knows Buyer Knows
#RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
#RSAC 0 10 20 30 40 50 60 70 80 90 100 Defensibility Index Goal Security++ Security Base Passing the Buck (and Cost)
#RSAC 0 10 20 30 40 50 60 70 80 90 100 Defensibility Index Goal Security++ Security Base Passing the Buck (and Cost)
#RSAC 0 10 20 30 40 50 60 70 80 90 100 Defensibility Index Goal Security++ Security Base Passing the Buck (and Cost)
#RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
#RSAC True Costs & Least Cost Avoiders: Downstream ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
#RSAC The Fallacy of Broken Windows 60
#RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
Where Do We Go From Here?
#RSAC The World Is Changing
#RSAC Reliance On Poor Software Poor software with security issues in the new Internet of Things world can now lead to: • Bodily Injury • Property Damage • Financial Harm
#RSAC Product Liability Is Already Here  Its not the software that hurts the people, it’s a component of a larger finished product, making it a product failure not just the software.  MacPherson v. Buick Motor Co., 217 N.Y. 382, 111 N.E. 1050 (1916)  Donald C. MacPherson was injured when one of the wooden wheels of his 1909 "Buick Runabout" collapsed  Buick Motor Company, had manufactured the vehicle, but not the wheel, which had been manufactured by another party but installed by defendant.  Software responsibility is going to be on final good manufacturer (no matter what) that is delivering the final product
#RSAC Product Liability Is Already Here  The important portion of the MacPherson opinion:  “If the nature of a thing is such that it is reasonably certain to place life and limb in peril when negligently made, it is then a thing of danger. Its nature gives warning of the consequence to be expected. If to the element of danger there is added knowledge that the thing will be used by persons other than the purchaser, and used without new tests, then, irrespective of contract, the manufacturer of this thing of danger is under a duty to make it carefully. That is as far as we need to go for the decision of this case . . . . If he is negligent, where danger is to be foreseen, a liability will follow”
#RSAC Software Part Of The Final Product
#RSAC Financial Liability For Data Breach Already Exists
#RSAC Financial Liability For Data Breach Already Exists “Enhanced security and manageability via comprehensive and flexible access and authorization control”
#RSAC Expansion Of Liability Is Likely Coming  Liability already exists due to a data breach  Currently on the company that had the breach regardless if it was the fault of a software product they purchased and expect security in place  Large companies can handle the costs, however, small businesses filing for bankruptcy  Doing everything right but the software they purchased with an expectation to be secure isn’t  Is this right?
#RSAC Not from Whole Cloth  UL for electronics  NTSB & ASRS for aviation  NHSTB? or NHTSA? for vehicles  FDA & DHS ICS-CERT for medical  FCC for “radio controlled”  FTC for enforcement  SEC for publically traded  Consumer Reports?
#RSAC Taking Care: Incentives Incentivize (Perversely)  Let’s NOT recreate PCI DSS  Outcomes over Inputs (Control Objectives over Controls)  Visibility to support Free Market Forces and Choice  Filter on “With the potential to affect human life and public safety”  Due Care / Negligence / Reasonability  Software must be “Patchable”  HDMoore’s Law (and/or OWASP Top 10?)  We had better know what we really want to incentivize…
#RSAC Yes… HDMoore’s Law (Bellis & Roytman [&Geer]) 73 “Punchline: Using CVSS to steer remediation is nuts, ineffective, deeply diseconomic, and knee jerk; given the availability of data it is also passe’, which we will now demonstrate.” -Geer/Roytman
#RSAC How Could Software Liability Work?  Not be prescriptive on what needs to be done / security implement  Allow for the concept of liability to exist in software world  Not just for tangible products  Not just for Bodily Injury / Property Damage  Ensure security is not the last items on the priority list (new features FTW)
#RSAC The EULA Elephant in the Room…  EULAs may be the primary obstacle  These 1 sided contracts cannot be overlooked  EULA Reform may be close  E.g. No more than 1 page of plain speak
#RSAC Things you can do  Investigate/Join “The Cavalry” @iamthecavalry  Public Safety & Human Life  Watch  Hot Coffee  Reading:  Geekonomics by David Rice  Therac-25 History 76
Discussion!
SESSION ID: Software Liability?: The Worst Possible Idea (Except for all Others) ASEC-F01 Jake Kouns Chief Information Security Officer Risk Based Security @jkouns Joshua Corman CTO Sonatype @joshcorman

Empfohlen

Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Daniel L. Cruz
 
The 10 most trusted networking and security solution providers
The 10 most trusted networking and security solution providersThe 10 most trusted networking and security solution providers
The 10 most trusted networking and security solution providersMerry D'souza
 
Research Note RSA 2019
Research Note RSA 2019Research Note RSA 2019
Research Note RSA 2019Wing Venture Capital
 
Customer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsCustomer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsJoAnna Cheshire
 
The real human experience of the internet of things
The real human experience of the internet of things The real human experience of the internet of things
The real human experience of the internet of things Fjord
 
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Dana Gardner
 
AGC Networks Security Solutions - Cyber-i
AGC Networks Security Solutions - Cyber-iAGC Networks Security Solutions - Cyber-i
AGC Networks Security Solutions - Cyber-iRichard (Rich) A. Cassario
 
Becoming your customer's security partner in the digital age
Becoming your customer's security partner in the digital ageBecoming your customer's security partner in the digital age
Becoming your customer's security partner in the digital ageExponential_e
 

Empfohlen

Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Daniel L. Cruz
 
The 10 most trusted networking and security solution providers
The 10 most trusted networking and security solution providersThe 10 most trusted networking and security solution providers
The 10 most trusted networking and security solution providersMerry D'souza
 
Research Note RSA 2019
Research Note RSA 2019Research Note RSA 2019
Research Note RSA 2019Wing Venture Capital
 
Customer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsCustomer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsJoAnna Cheshire
 
The real human experience of the internet of things
The real human experience of the internet of things The real human experience of the internet of things
The real human experience of the internet of things Fjord
 
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Dana Gardner
 
AGC Networks Security Solutions - Cyber-i
AGC Networks Security Solutions - Cyber-iAGC Networks Security Solutions - Cyber-i
AGC Networks Security Solutions - Cyber-iRichard (Rich) A. Cassario
 
Becoming your customer's security partner in the digital age
Becoming your customer's security partner in the digital ageBecoming your customer's security partner in the digital age
Becoming your customer's security partner in the digital ageExponential_e
 
There's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a HospitalThere's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a HospitalNETSCOUT
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Aheadmartin_lee1969
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
merged_document
merged_documentmerged_document
merged_documentNikhil D'souza
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportJoshua Enders
 
The Secure Business in the Digital Age - 27th September 2017
The Secure Business in the Digital Age - 27th September 2017The Secure Business in the Digital Age - 27th September 2017
The Secure Business in the Digital Age - 27th September 2017Exponential_e
 
Technology Trends & The Impact for Software Industry
Technology Trends & The Impact for Software IndustryTechnology Trends & The Impact for Software Industry
Technology Trends & The Impact for Software IndustrySoftware Park Thailand
 
Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Ray Bugg
 
ambient-computing
ambient-computingambient-computing
ambient-computingF. Marek Modzelewski
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512JoAnna Cheshire
 
Zero UI
Zero UIZero UI
Zero UIAndy Goodman
 
The 10 most trusted companies in enterprise security 2019
The 10 most trusted companies in enterprise security 2019The 10 most trusted companies in enterprise security 2019
The 10 most trusted companies in enterprise security 2019Insights success media and technology pvt ltd
 
La Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las AplicacionesLa Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las AplicacionesAsociación de Marketing Bancario Argentino
 
Busting Silos, Boosting Communities
Busting Silos, Boosting CommunitiesBusting Silos, Boosting Communities
Busting Silos, Boosting CommunitiesPeter Coffee
 
DATI, AI E ROBOTICA @POLITO
DATI, AI E ROBOTICA @POLITODATI, AI E ROBOTICA @POLITO
DATI, AI E ROBOTICA @POLITOMarcoMellia
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
Insights success the 10 most trusted networking solution provider companies 2...
Insights success the 10 most trusted networking solution provider companies 2...Insights success the 10 most trusted networking solution provider companies 2...
Insights success the 10 most trusted networking solution provider companies 2...Insights success media and technology pvt ltd
 
The 10 successful entrepreneur revamping the future compressed
The 10 successful entrepreneur revamping the future compressedThe 10 successful entrepreneur revamping the future compressed
The 10 successful entrepreneur revamping the future compressedInsights success media and technology pvt ltd
 
Asean 1017 ezine_14pp
Asean 1017 ezine_14ppAsean 1017 ezine_14pp
Asean 1017 ezine_14ppPekerja lepas
 
Game Changing IT Solutions
Game Changing IT SolutionsGame Changing IT Solutions
Game Changing IT SolutionsDMIMarketing
 
The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsJose Lopez
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security TrendsPriyanka Aash
 

Weitere ähnliche Inhalte

Was ist angesagt?

There's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a HospitalThere's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a HospitalNETSCOUT
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Aheadmartin_lee1969
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportJoshua Enders
 
The Secure Business in the Digital Age - 27th September 2017
The Secure Business in the Digital Age - 27th September 2017The Secure Business in the Digital Age - 27th September 2017
The Secure Business in the Digital Age - 27th September 2017Exponential_e
 
Technology Trends & The Impact for Software Industry
Technology Trends & The Impact for Software IndustryTechnology Trends & The Impact for Software Industry
Technology Trends & The Impact for Software IndustrySoftware Park Thailand
 
Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Ray Bugg
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512JoAnna Cheshire
 
Busting Silos, Boosting Communities
Busting Silos, Boosting CommunitiesBusting Silos, Boosting Communities
Busting Silos, Boosting CommunitiesPeter Coffee
 
DATI, AI E ROBOTICA @POLITO
DATI, AI E ROBOTICA @POLITODATI, AI E ROBOTICA @POLITO
DATI, AI E ROBOTICA @POLITOMarcoMellia
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
Asean 1017 ezine_14pp
Asean 1017 ezine_14ppAsean 1017 ezine_14pp
Asean 1017 ezine_14ppPekerja lepas
 
Game Changing IT Solutions
Game Changing IT SolutionsGame Changing IT Solutions
Game Changing IT SolutionsDMIMarketing
 

Was ist angesagt? (20)

There's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a HospitalThere's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a Hospital
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Ahead
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
merged_document
merged_documentmerged_document
merged_document
 
Cybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud ReportCybersource 2013 Online Fraud Report
Cybersource 2013 Online Fraud Report
 
The Secure Business in the Digital Age - 27th September 2017
The Secure Business in the Digital Age - 27th September 2017The Secure Business in the Digital Age - 27th September 2017
The Secure Business in the Digital Age - 27th September 2017
 
Technology Trends & The Impact for Software Industry
Technology Trends & The Impact for Software IndustryTechnology Trends & The Impact for Software Industry
Technology Trends & The Impact for Software Industry
 
Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019Data Protection Scotland Summit 2019
Data Protection Scotland Summit 2019
 
ambient-computing
ambient-computingambient-computing
ambient-computing
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512
 
Zero UI
Zero UIZero UI
Zero UI
 
The 10 most trusted companies in enterprise security 2019
The 10 most trusted companies in enterprise security 2019The 10 most trusted companies in enterprise security 2019
The 10 most trusted companies in enterprise security 2019
 
La Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las AplicacionesLa Seguridad en la Economía de las Aplicaciones
La Seguridad en la Economía de las Aplicaciones
 
Busting Silos, Boosting Communities
Busting Silos, Boosting CommunitiesBusting Silos, Boosting Communities
Busting Silos, Boosting Communities
 
DATI, AI E ROBOTICA @POLITO
DATI, AI E ROBOTICA @POLITODATI, AI E ROBOTICA @POLITO
DATI, AI E ROBOTICA @POLITO
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
 
Insights success the 10 most trusted networking solution provider companies 2...
Insights success the 10 most trusted networking solution provider companies 2...Insights success the 10 most trusted networking solution provider companies 2...
Insights success the 10 most trusted networking solution provider companies 2...
 
The 10 successful entrepreneur revamping the future compressed
The 10 successful entrepreneur revamping the future compressedThe 10 successful entrepreneur revamping the future compressed
The 10 successful entrepreneur revamping the future compressed
 
Asean 1017 ezine_14pp
Asean 1017 ezine_14ppAsean 1017 ezine_14pp
Asean 1017 ezine_14pp
 
Game Changing IT Solutions
Game Changing IT SolutionsGame Changing IT Solutions
Game Changing IT Solutions
 

Ähnlich wie Software Liability?: The Worst Possible Idea (Except for all Others)

The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsJose Lopez
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security TrendsPriyanka Aash
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network Mighty Guides, Inc.
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
The Geospatial Future of Insurance
The Geospatial Future of InsuranceThe Geospatial Future of Insurance
The Geospatial Future of InsuranceHugh Saalmans
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALWayne Anderson
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...
Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...
Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...Dana Gardner
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetWatcher
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Top 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersTop 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersMerry D'souza
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 

Ähnlich wie Software Liability?: The Worst Possible Idea (Except for all Others) (20)

The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clients
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security Trends
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
The Geospatial Future of Insurance
The Geospatial Future of InsuranceThe Geospatial Future of Insurance
The Geospatial Future of Insurance
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
 
Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...
Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...
Cybersecurity is a Necessity, Not an Option, in the Face of Global Security T...
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Top 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersTop 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providers
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data Protection
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 

Mehr von Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
 

Mehr von Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Kürzlich hochgeladen

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

Kürzlich hochgeladen (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 

Software Liability?: The Worst Possible Idea (Except for all Others)

  • 1. SESSION ID: Software Liability?: The Worst Possible Idea (Except For All Others) ASEC-F01 Jake Kouns Chief Information Security Officer Risk Based Security @jkouns Joshua Corman CTO Sonatype @joshcorman
  • 2. #RSAC Worst quality image (except all others) 2
  • 3. #RSAC Agenda  Why Liability? Why now?  Product Liability 101  Product Liability Implementation  Why NOT to have Product Liability for Software Vendors  Some Economics  What is Changing the Equation 3
  • 6. #RSAC ! $4f3 @ * $p33d 6
  • 10. #RSAC
  • 11. #RSAC
  • 14. #RSAC Defined  Wikipedia definition:  Product liability is the area of law in which manufacturers, distributors, suppliers, retailers, and others who make products available to the public are held responsible for the injuries those products cause.  Although the word "product" has broad connotations, product liability as an area of law is traditionally limited to products in the form of tangible personal property.
  • 24. #RSAC Who knows the name of this car?
  • 26. #RSAC Ford Pinto (1971 – 1980)  Allegations that the Pinto's structural design allowed its fuel tank filler neck to break off and the fuel tank to be punctured in a rear-end collision, resulting in deadly fires from spilled fuel.  27 deaths were attributed to Pinto fires.  According to a 1977 Mother Jones article by Mark Dowie, Ford allegedly was aware of the design flaw, refused to pay for a redesign, and decided it would be cheaper to pay off possible lawsuits.
  • 27. #RSAC Intended Value and Impact  Companies put a larger emphasis on prevention of issues  Companies put a larger emphasis on testing / precautions  Companies put a culture in place and don’t take unnecessary risks due to financial impact  Better risk management for the entire company  If a company becomes aware of an issue, they act quickly to correct
  • 28. #RSAC Any issues with hot coffee?
  • 30. #RSAC Liebeck v. McDonald’s Restaurants (1994)  Known as the McDonald's coffee case and the hot coffee lawsuit  A New Mexico civil jury awarded $2.86 million to plaintiff Stella Liebeck who had suffered third-degree burns in her pelvic region when she accidentally spilled hot coffee in her lap after purchasing it from a McDonald's restaurant.  Liebeck was hospitalized for eight days while she underwent skin grafting, followed by two years of medical treatment.
  • 31. #RSAC When Product Liability Goes Wrong?  McDonald’s hot coffee is thought to be when legal system goes wrong!  Most actually don’t know the correct full story!  This is really a case of “Failure To Warn”  Documents obtained from McDonald's showed that from 1982 to 1992 the company had received more than 700 reports of people burned by McDonald's coffee  Varying degrees of severity, and had settled claims arising from scalding injuries for more than $500,000.  Questions were asked why was it so hot?
  • 32. #RSAC Does this provide value to end consumers / users of the product? McDonald’s Coffee
  • 35. #RSAC Product Recalls  Consumer Products  appliances, clothing, electronic / electrical. furniture, household, children's products, lighting / lighter, outdoor, sports / exercise  Motor Vehicles and Tires  Child Safety Seats  Food and Medicine  Cosmetics and Environmental Products
  • 36. #RSAC Software Product Recalls? When the product is marketed to be secure and it isn’t how do software vendors handle it? No more security patches of fixes for the product?
  • 38. #RSAC Software Liability  Software Liability: Our Saving Grace or Kiss of Death?  Debated by Marcus Ranum and Bruce Schneier at RSA 2012  At this point, the issue seems to be still unresolved  With most people being on the side that it is an awful idea
  • 39. #RSAC Software Liability: Worst Idea  Josh: Insert the mind map
  • 40. #RSAC Reason #1 - The Worst Possible Idea  Stifle Innovation  New features and ideas would be slow to market due to financials exposures  Fewer features  Slower time to market  Could hurt competitiveness and/or client satisfaction
  • 41. #RSAC Reason #2 - The Worst Possible Idea  Barriers to Entry?  Could Hurt Small Businesses and Startups  Large enterprises would easily adjust to additional overhead, but cripple new and small businesses
  • 42. #RSAC Reason #3 - The Worst Possible Idea  Economic Impacts  What does this mean to the economy? Potential for massive amount of money to change hands. The uncertainty alone makes it an awful idea.  “IT” and Software we/are HUGE parts of the US GDP (and growing faster)
  • 43. #RSAC Reason #4 - The Worst Possible Idea  Vendor Impact  Companies unable to handle the cost  Raise prices  But this is specious for a few reasons:  True Costs and Least Cost Avoiders are more efficient for the system  Hidden Costs and Cost of Ownership changes must be factored
  • 45. #RSAC Counters to: The Worst Possible Idea Food Safety Cars 1) Stifle Innovation Chef’s can’t innovate? Safety Differentiation 2) Barriers to Entry Good! Outstanding! 3) Economic Impact Doubtful Premium Pricing 4) Raise Prices/Exit Markets To avoid illness/disease? Free Market Demand
  • 46. What’s Working To Influence Better Security Practices?
  • 47. #RSAC What Are We Doing To Improve Security?  PCI/DSS*  SOX*  Market Forces*  Companies only pick secure software (if they care)  HHS/HITECH (regulatory fines)*  SEC*  FTC* *Debatable
  • 48. #RSAC Software Vulnerabilities Over time 2013: 10,280 2012: 9,909 2011: 7,751 2010: 9,054 2009: 8,092 2008: 9,696 2007: 9,538 2006: 11,009 2005: 7,858
  • 49. #RSAC Data Breaches Over Time Source: Risk Based Security - https://cyberriskanalytics.com
  • 50. #RSAC Why Aren’t We Improving?  Complexity  Costs  No real impact to end consumer?  No real property or injury type issues?  People just don’t really care?
  • 52. #RSAC On Free Market Forces…
  • 53. #RSAC Information Asymmetry and Signaling Seller Knows Buyer Knows
  • 54. #RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
  • 58. #RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
  • 59. #RSAC True Costs & Least Cost Avoiders: Downstream ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
  • 60. #RSAC The Fallacy of Broken Windows 60
  • 61. #RSAC True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
  • 62. Where Do We Go From Here?
  • 63. #RSAC The World Is Changing
  • 64. #RSAC Reliance On Poor Software Poor software with security issues in the new Internet of Things world can now lead to: • Bodily Injury • Property Damage • Financial Harm
  • 65. #RSAC Product Liability Is Already Here  Its not the software that hurts the people, it’s a component of a larger finished product, making it a product failure not just the software.  MacPherson v. Buick Motor Co., 217 N.Y. 382, 111 N.E. 1050 (1916)  Donald C. MacPherson was injured when one of the wooden wheels of his 1909 "Buick Runabout" collapsed  Buick Motor Company, had manufactured the vehicle, but not the wheel, which had been manufactured by another party but installed by defendant.  Software responsibility is going to be on final good manufacturer (no matter what) that is delivering the final product
  • 66. #RSAC Product Liability Is Already Here  The important portion of the MacPherson opinion:  “If the nature of a thing is such that it is reasonably certain to place life and limb in peril when negligently made, it is then a thing of danger. Its nature gives warning of the consequence to be expected. If to the element of danger there is added knowledge that the thing will be used by persons other than the purchaser, and used without new tests, then, irrespective of contract, the manufacturer of this thing of danger is under a duty to make it carefully. That is as far as we need to go for the decision of this case . . . . If he is negligent, where danger is to be foreseen, a liability will follow”
  • 67. #RSAC Software Part Of The Final Product
  • 68. #RSAC Financial Liability For Data Breach Already Exists
  • 69. #RSAC Financial Liability For Data Breach Already Exists “Enhanced security and manageability via comprehensive and flexible access and authorization control”
  • 70. #RSAC Expansion Of Liability Is Likely Coming  Liability already exists due to a data breach  Currently on the company that had the breach regardless if it was the fault of a software product they purchased and expect security in place  Large companies can handle the costs, however, small businesses filing for bankruptcy  Doing everything right but the software they purchased with an expectation to be secure isn’t  Is this right?
  • 71. #RSAC Not from Whole Cloth  UL for electronics  NTSB & ASRS for aviation  NHSTB? or NHTSA? for vehicles  FDA & DHS ICS-CERT for medical  FCC for “radio controlled”  FTC for enforcement  SEC for publically traded  Consumer Reports?
  • 72. #RSAC Taking Care: Incentives Incentivize (Perversely)  Let’s NOT recreate PCI DSS  Outcomes over Inputs (Control Objectives over Controls)  Visibility to support Free Market Forces and Choice  Filter on “With the potential to affect human life and public safety”  Due Care / Negligence / Reasonability  Software must be “Patchable”  HDMoore’s Law (and/or OWASP Top 10?)  We had better know what we really want to incentivize…
  • 73. #RSAC Yes… HDMoore’s Law (Bellis & Roytman [&Geer]) 73 “Punchline: Using CVSS to steer remediation is nuts, ineffective, deeply diseconomic, and knee jerk; given the availability of data it is also passe’, which we will now demonstrate.” -Geer/Roytman
  • 74. #RSAC How Could Software Liability Work?  Not be prescriptive on what needs to be done / security implement  Allow for the concept of liability to exist in software world  Not just for tangible products  Not just for Bodily Injury / Property Damage  Ensure security is not the last items on the priority list (new features FTW)
  • 75. #RSAC The EULA Elephant in the Room…  EULAs may be the primary obstacle  These 1 sided contracts cannot be overlooked  EULA Reform may be close  E.g. No more than 1 page of plain speak
  • 76. #RSAC Things you can do  Investigate/Join “The Cavalry” @iamthecavalry  Public Safety & Human Life  Watch  Hot Coffee  Reading:  Geekonomics by David Rice  Therac-25 History 76
  • 78. SESSION ID: Software Liability?: The Worst Possible Idea (Except for all Others) ASEC-F01 Jake Kouns Chief Information Security Officer Risk Based Security @jkouns Joshua Corman CTO Sonatype @joshcorman

Hinweis der Redaktion

  1. IMG SRC:http://oxford.tab.co.uk/2013/05/08/henrys-view-anti-misogyny-movement-not-helping-itself/?comment_sort=recent
  2. FTC
  3. IMG SRC: http://circa71.files.wordpress.com/2010/08/cuy-river-fire1.jpgIn 1969, the Cuyahoga River in Ohio caught on fire and stayed on fire….….it took this to finally get serious discussion about pollution.We believe a similar trigger will likely be required to cause SW Liability and/or significant criminalization of research changes.
  4. Photo taken by Speaker – Joshua Corman
  5. http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/WATCH THE VIDEOhttp://www.scmagazine.com/researchers-shed-light-on-car-hacking/article/320604/
  6. SOURCE: http://www.startribune.com/business/225601262.html
  7. Comic relief to Kevin’s conversation with Josh RE: BlueTooth on Insulin pumps.“Everything’s better with bacon? Everything’s better with BlueTooth” – Kevin FuIMG SRC:http://beekn.net/2013/12/bluetooth-le-arduino-wifi-android/
  8. SOURCE: http://www.cnn.com/2013/09/27/us/miss-teen-usa-sextortion/
  9. SOURCE:http://www.networkworld.com/community/blog/firesheep-moment-scada-hacking-critical-infrastructure-systems-now-easy-pushing-button
  10. http://en.wikipedia.org/wiki/Product_liabilityIssues or claims most commonly associated with product liability are:LiabilityBreach of warrantyNegligenceConsumer protectionStrict liability
  11. Manufacturing: explore “Poor quality materials” [sic open source code with known CVE over X at the time(window) of release]Manufacturing: explore “shoddy workmanship” as things like: No published SDLC, No 3rd party Scan, Violating OWASP Top10, ____, ____Manufacturing defects are those that occur in the manufacturing process and usually involve poor-quality materials or shoddy workmanship.
  12. Design: explore expectations of “safe” in context of OWASP? 3rd party testing? 5 star crash testing?Design: risks outweigh the benefits could be worked but could be tricky. The BlueTooth stack on insulin pump over MUCH safer direct wireDesign defects occur where the product design is inherently dangerous or useless (and hence defective) no matter how carefully manufactured; this may be demonstrated either by showing that the product fails to satisfy ordinary consumer expectations as to what constitutes a safe product, or that the risks of the product outweigh its benefits.
  13. Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  14. Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  15. Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  16. Warn: perhaps some sort of ongoing monitoring of the 3rd party and open source code ingredients you’ve used (e.g.)Failure-to-warn defects arise in products that carry inherent nonobvious dangers which could be mitigated through adequate warnings to the user, and these dangers are present regardless of how well the product is manufactured and designed for its intended purpose.
  17. Warranties are statements by a manufacturer or seller concerning a product during a commercial transaction. Breach of warranty-based product liability claims usually focus on one of three types: breach of an express warrantybreach of an implied warranty of merchantabilitybreach of an implied warranty of fitness for a particular purpose.
  18. Physical injury is the keen focus of the cavalry as we hone down the scopeLemon Laws made need exploration later as signaling to overcome Info Asymmetry and suboptimal outcomes for “both/all” parties Many states have enacted consumer protection statutes providing for specific remedies for a variety of product defects. Statutory remedies are often provided for defects which merely render the product unusable (and hence cause economic injury) but do not cause physical injury or damage to other property; the "economic loss rule" means that strict liability is generally unavailable for products that damage only themselves. The best known examples of consumer protection laws for product defects are lemon laws, which became widespread because automobiles are often an American citizen's second-largest investment after buying a home.
  19. The National Highway Traffic Safety Administration (NHTSA) ultimately directed Ford to recall the Pinto.
  20. Documentary on this called Hot CoffeeFree refills of coffee were offered and it was decided to make it so hot so they couldn’t drink it fast enough to need refills.
  21. http://www.smh.com.au/small-business/managing/kitchen-nightmares-roaches-rats-and-bandaids-20110811-1inte.html
  22. The marketers of Sensa, a weight-loss powder sprinkled on food, will pay $26.5 million to settle agency charges that the company made unfounded weight-loss claims and used misleading endorsements
  23. When products do not work as expected, orgs are expected to make it right, in terms of recalls and correcting as their cost, not to the consumer
  24. When products do not work as expected, orgs are expected to make it right, in terms of recalls and correcting as their cost, not to the consumerHow would it be if a car company said support was EOL? No more recalls / fixes
  25. Fair amount of discussion on this topic with two extreme sidesRSA debate: http://www.youtube.com/watch?v=5rSScJinPoQ (The goal was to solve and resolve this issues once and for all)
  26. There are lots of ideas here, this isn’t a straight forward issuesLots of complexity, however, we are going to highlight a few of the points most frequently used as reason it is a bad idea.
  27. http://www.smh.com.au/small-business/managing/kitchen-nightmares-roaches-rats-and-bandaids-20110811-1inte.html
  28. ExSqueeze me?! Baking Powder? – I’ll have to hear your case.Just listing the responses to improving security
  29. This chart needs updating. It isn’t current unfortunately.
  30. JOSH: I’ve done recent keynotes on a lot of this (and the next section of changing landscape). I can flesh this out.
  31. http://blogs.telegraph.co.uk/news/danielhannan/100095953/news-of-the-world-closed-by-market-forces-the-system-works/
  32. http://asrs.arc.nasa.gov/images/logo.jpg
  33. SOURCE:http://www.youtube.com/watch?v=hXC9FI1nAqsMight not be the best pne, but had a good visual to screen shot.Basic point is:Destruction is notstimulative. Hidden costs/impacts and Opportunity Costs
  34. Image from http://www.davenussbaum.com/adapting-to-change/
  35. Image from http://www.davenussbaum.com/adapting-to-change/
  36. Image from http://www.davenussbaum.com/adapting-to-change/
  37. Everyone knows the Target data breach. It was a PoS system that was hacked. Was is really Target’s fault? Target’s U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence. We know Target is going to pay.
  38. Target Rolling out Retalix in place of home grown system. It advertises its product as “Enhanced security and manageability via comprehensive and flexible access and authorization control” If the breach occurred and it was Retalix security issue… who pays?
  39. We need to help shape it now and stop saying it isn't a good solution
  40. http://asrs.arc.nasa.gov
  41. http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  42. http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/http://blog.risk.io/2013/08/stop-fixing-all-the-things-bsideslv/See also the Dan Geer & Mike Roytman USENIX White Paper on this:https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf
  43. http://ad-challenger.blogspot.com/2012/04/web-typography-coping-with-ele-font-in.html
  44. http://www.iamthecavalry.org18m TEDx for the Cavalry “Swimming w/ Sharks: Security in the Internet of Things”http://www.youtube.com/watch?v=rZ6xoAtdF3ohttp://www.amazon.com/Geekonomics-Real-Insecure-Software-paperback/dp/0321735978