{"id":28632,"date":"2020-05-06T20:32:32","date_gmt":"2020-05-07T01:32:32","guid":{"rendered":"http:\/\/huewhite.com\/umb\/?p=28632"},"modified":"2020-05-06T20:32:32","modified_gmt":"2020-05-07T01:32:32","slug":"big-time-software-small-time-warranty-ctd-3","status":"publish","type":"post","link":"https:\/\/huewhite.com\/umb\/2020\/05\/06\/big-time-software-small-time-warranty-ctd-3\/","title":{"rendered":"Big Time Software, Small Time Warranty, Ctd"},"content":{"rendered":"<p>It turns out that there are moves afoot to address the <a href=\"https:\/\/huewhite.com\/umb\/2020\/04\/24\/big-time-software-small-time-warranty-ctd-2\/\" target=\"_blank\" rel=\"noopener noreferrer\">problems of software reliability<\/a> from a legal viewpoint, as Dr. Trey Herr <a href=\"https:\/\/www.lawfareblog.com\/software-liability-just-starting-point\" target=\"_blank\" rel=\"noopener noreferrer\">explains<\/a> on <em><strong>Lawfare.<\/strong><\/em>\u00a0For example:<\/p>\n<blockquote><p>Liability is the legal mechanism to hold a goods and services provider accountable for the quality, security and safety of those goods and services. Determining acceptable quality, security and safety requires clear standards. In the jargon of the legal class, this refers to a \u201cduty of care\u201d\u2014the minimum obligation required of a provider whose products might harm their users. The duty of care becomes critically important in defining the standard of behavior expected of final goods assemblers. An effective standard might well create legal obligations to set \u201cend-of-life\u201d dates for software, remove copyright protections that inhibit security research, or block the use of certain software languages that have\u00a0<a href=\"https:\/\/arxiv.org\/pdf\/1008.3434.pdf\">inherent flaws<\/a>\u00a0or make it\u00a0<a href=\"https:\/\/www.veracode.com\/sites\/default\/files\/pdf\/resources\/sossreports\/state-of-software-security-volume-10-veracode-report.pdf\">difficult<\/a>\u00a0to produce code with few errors.<\/p>\n<p>But as a 2016 National Institute of Standards and Technology (NIST) report\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/ir\/2016\/NIST.IR.8151.pdf\">noted<\/a>, determining which errors are \u201c\u2018sloppy and easily avoidable\u2019 is not a trivial matter.\u201d Even avoiding simple errors is not an affirmation of sterling quality. A handful of efforts, new and old, try to address this problem. Some look at specific high-impact sectors like\u00a0<a href=\"https:\/\/smartgrid.ieee.org\/images\/files\/pdf\/building_code_for_power_system_software_security.pdf\">power generation and distribution<\/a>, and\u00a0<a href=\"https:\/\/cspri.seas.gwu.edu\/sites\/g\/files\/zaxdzs1446\/f\/Landwehr%2B-%2BBuilding%2BCode%2BFinal%2BEdit%2BReport%2B3_0.pdf\">medical device manufacturing<\/a>. Others are more holistic, such as Microsoft\u2019s Security Development Lifecycle, a decade-plus-long effort from SAFE Code and their\u00a0<a href=\"https:\/\/safecode.org\/wp-content\/uploads\/2018\/03\/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf\">Fundamental Practices for Secure Software Development<\/a>, and the still new\u00a0<a href=\"https:\/\/www.bsa.org\/files\/reports\/bsa_software_security_framework_web_final.pdf\">Framework for Secure Software<\/a>\u00a0from BSA. NTIA\u2019s\u00a0<a href=\"https:\/\/www.ntia.doc.gov\/SoftwareTransparency\">Software Bill of Materials<\/a> (SBOM) effort is complementary in addressing how organizations track what code they use rather than how it is developed or patched.<\/p><\/blockquote>\n<p>The article&#8217;s a bit of a slog, but if you ponder using more than murky economic tools to encourage better software, this may prove to be a good starting point.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It turns out that there are moves afoot to address the problems of software reliability from a legal viewpoint, as Dr. Trey Herr explains on Lawfare.\u00a0For example: Liability is the legal mechanism to hold a goods and services provider accountable for the quality, security and safety of those goods and \u2026 <a class=\"continue-reading-link\" href=\"https:\/\/huewhite.com\/umb\/2020\/05\/06\/big-time-software-small-time-warranty-ctd-3\/\"> Continue reading <span class=\"meta-nav\">&rarr; <\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-28632","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts\/28632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/comments?post=28632"}],"version-history":[{"count":1,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts\/28632\/revisions"}],"predecessor-version":[{"id":28633,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts\/28632\/revisions\/28633"}],"wp:attachment":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/media?parent=28632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/categories?post=28632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/tags?post=28632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}