Security by Design
The “Security by Design” project is a multiyear initiative with the objective of creating a density of work product in the area of software design security. This project evaluates several elements of software security, from the secure-by-design and secure-by-default principles to how legal and policy processes could require or incentivize security by design from software developers. It features long-form research papers, articles, podcast interviews and documentation on these questions.
-
The Difficulties of Defining “Secure-by-Design”
New survey findings and efforts to identify the most impactful security controls underscore the need for an empirical approach to defining—and promoting—security-by-design. -
It’s Morning Again in Pennsylvania: Rebooting Computer Security Through a Bureau of Technology Safety
In order to escape the computer security bootloop, Congress can create a new technology safety regulator of last resort—the Bureau of Technology Safety (BoTS). -
The Lawfare Podcast: Jim Dempsey on Standards for Software Liability
What should a software liability regime look like? -
Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor
A proposed system intended to respond to the criticism that software security is context dependent, to minimize the cost of litigation, and to incentivize improvements in software security. -
The Lawfare Podcast: Three CISA Senior Advisers on Secure by Design
What is Security by Design? -
Shields Up For Software
As the Biden administration seeks to develop software liability legislation, consider a regime that incorporates one safe harbor and one “inverse safe harbor.” -
Who’s Afraid of Products Liability? Cybersecurity and the Defect Model
The law of products liability has the flexibility and sophistication to anchor the legal liability portion of Biden’s National Cybersecurity Strategy. -
Announcing a New Lawfare Project on ‘Security by Design’
The multiyear project will evaluate the elements of this strategic approach to software security.