Geekonomics - The Real Cost of Insecure Software

Rice, David; Basu, Chaton

doi:10.1080/15536548.2007.10855823

Cited by 10 publications

(10 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The combination of software complexity and speed-to-market has put a tremendous strain on software quality. Software application providers have become vulnerable to losing business due to their resources being stretched in software assurance.The economic cost of security vulnerability in web applications alone is currently estimated to be $180 billion and E-Tailers lost about $22 billion in the US last year because of consumers hesitant to do business on-line due to security fears [7].…”

Section: Introductionmentioning

confidence: 99%

WEAVE: WEb Applications Validation Environment

Sunitha

Tkachuk

Prasad

et al. 2009

2009 31st International Conference on Software Engineering - Companion Volume

View full text Add to dashboard Cite

Ensuring software quality in the presence of multiple software development methodologies such as agile and waterfall models is a challenging task. Web applications are released to customers in "Beta" mode due to tremendous pressure on "time-to-market". In order to check end-to-end functional behavior of web applications, conventional testing tools have not matched short release cycles and have not kept up with agile software methodologies. In this paper we present a tool framework called WEb Applications Validation Environment (WEAVE) for checking functional behavior such as business logic and security of web applications. We have used WEAVE for finding defects in large Javacentric commercial-strength Web applications. As part of WEAVE, we have developed (1) a semi-automatic method for environment generation to constrain the behavior of the application for scalability, (2) an intuitive interface for engineers to construct requirements that are compiled into temporal logic to address the issue of usability, and (3) symbolic execution tailored to finding business logic and security defects. We describe how we have architected WEAVE as a web service for company's internal software teams to improve software quality without an upfront investment in licenses and computing infrastructure.

show abstract

Section: Introductionmentioning

confidence: 99%

WEAVE: WEb Applications Validation Environment

Sunitha

Tkachuk

Prasad

et al. 2009

2009 31st International Conference on Software Engineering - Companion Volume

View full text Add to dashboard Cite

show abstract

“…Vehicles were not equipped with seat belts or crumple zones, as the vendors considered aesthetics more of a selling point than safety. Eventually public opinion changed, catalysed by Ralph Nader's book Unsafe at Any Speed [85], and by US case law enabling accident victims to sue the manufacturer and not just the driver or the car dealer [93]. This led to a change of attitude by car makers, helped along by a multitude of regulatory interventions relating to seatbelts, airbags, driver training, highway design, lighting, signage, and crash barriers.…”

Section: Analogy With Car Safetymentioning

confidence: 99%

“…Cyber-criminals can in principle use any network-attached device -be it a PC, a mobile phone, or even a medical device -to launch service-denial attacks, send spam, and host unlawful content such as phishing websites and indecent images of children. A case has been made, for example, that US lawmakers should create a specific tort of the negligent enablement of cybercrime [93]. Even if the EU is not going to have a 'Software Liability Directive', does it need a regulation creating liability for vendors who negligently put into circulation large numbers of devices that are easily infected by crimeware?…”

Section: Software and Systems Liability Optionsmentioning

confidence: 99%

“…That person in turn might sue the person from whom he bought the car, and so on, until eventually a lawsuit arrived at the car maker's factory. Needless to say, this placed an enormous burden on the victim of a design defect, and, following a series of court cases from 1916, the US courts eventually ruled in the landmark Greenman v. Yuba Power Products case in 1963 that the victim of a design or manufacturing defect could sue the maker of the defective product directly [93]. This principle arrived in European law in 1985 via the Product Liability Directive which adopted language similar to that used by Judge Traynor in Greenman [42].…”

Section: Product Liabilitymentioning

confidence: 99%

“…It is also becoming clear that as our civilisation comes to depend more and more on software, the culture of impunity among software writers and vendors cannot continue indefinitely. For example, the UK House of Lords Science and Technology Committee recommended, in the context of an inquiry into Personal Internet Security, that that the UK government should, working through the EU, seek to rectify the inappropriate liability assignments in the medium term [61]; a special adviser to President Bush remarked in 2004 that it was unsustainable to hold software companies blameless, and hoped that liability would be fixed by the courts as the only institution with the flexibility to adapt to rapid technological change [93]. It is a long-established principle in tort law that one should assign liability to the party best able to prevent the undesired outcome.…”

Section: Analogy With Car Safetymentioning

confidence: 99%

See 2 more Smart Citations

Security Economics and European Policy

Anderson

Böhme

Clayton

et al. 2008

Managing Information Risk and the Economics of Security

View full text Add to dashboard Cite

we were awarded a contract by the European Network and Information Security Agency (ENISA) to investigate failures in the market for secure electronic communications within the European Union, and come up with policy recommendations. In the process, we spoke to a large number of stakeholders, and held a consultative meeting in December 2007 in Brussels to present draft proposals. This established that almost all of our proposals have wide stakeholder support. The formal outcome of our work was a detailed report, 'Security Economics and the Internal Market', that is due to be published by ENISA. This paper is a much abridged version (about half the length): in it, we present the recommendations we made, and then a summary of our reasoning. By way of disclaimer, we state that these recommendations are our own and do not necessarily reflect the policy of ENISA or any other European institution.The background should be familiar enough. The direct cost to Europe of electronic crime, including both losses and protective measures, is measured in billions of euros; and growing public concerns about information security hinder the development of both markets and public services, causing even greater indirect costs. For example, while we were writing this report, the UK government confessed to the loss of child-benefit records affecting 25 million citizens. Privacy concerns are stalling the development of e-health and other systems.Information security is now a mainstream political issue. An appropriate regulatory framework, which is just as important for protecting economic and other activity online as it is offline. The European Union already has a number of laws on matters from e-commerce through telecomms regulation to consumer protection and product liability that regulate online activity, but the pace of change has left a number of gaps. To close these, we make the following recommendations. Recommendations1: There has long been a shortage of hard data about information security failures, as many of the available statistics are not only poor but are collected by parties such as security vendors or law enforcement agencies that have a vested interest in under-or over-reporting. Crime statistics are problematic enough in the traditional world, but things are harder still online because of the novelty and the lack of transparency. For example, citizens who are the victims of fraud often have difficulty finding out who is to 1 blame because the incidents that compromised their personal data may have been covered up by the responsible data controllers. These problems are now being tackled with some success in many US states with security-breach reporting laws, and Europe needs one too.We recommend that the EU introduce a comprehensive security-breach notification law.2: Our survey of the available statistics has led us to conclude that there are two particularly problematic 'black holes' where data are fragmentary or simply unavailable. These are banks and ISPs. On the banking side, only the UK publishes detailed figures...

show abstract

Managing Risk and Information Security

Harkins

2016

View full text Add to dashboard Cite

ApressOpen Rights: You have the right to copy, use and distribute this Work in its entirety, electronically without modification, for non-commercial purposes only. However, you have the additional right to use or alter any source code in this Work for any commercial or non-commercial purpose which must be accompanied by the licenses in (2) and (3) below to distribute the source code for instances of greater than 5 lines of code. Licenses (1), (2) and (3) below and the intervening text must be provided in any use of the text of the Work and fully describes the license granted herein to the Work. (1) License for Distribution of the Work: This Work is copyrighted by Malcolm Harkins, all rights reserved. Use of this Work other than as provided for in this license is prohibited. By exercising any of the rights herein, you are accepting the terms of this license. You have the non-exclusive right to copy, use and distribute this English language Work in its entirety, electronically without modification except for those modifications necessary for formatting on specific devices, for all non-commercial purposes, in all media and formats known now or hereafter. While the advice and information in this Work are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. If your distribution is solely Apress source code or uses Apress source code intact, the following licenses (2) and (3) must accompany the source code. If your use is an adaptation of the source code provided by Apress in this Work, then you must use only license (3).

show abstract

Geekonomics - The Real Cost of Insecure Software

Cited by 10 publications

References 0 publications

WEAVE: WEb Applications Validation Environment

WEAVE: WEb Applications Validation Environment

Security Economics and European Policy

Managing Risk and Information Security

Contact Info

Product

Resources

About