论文信息 - Agents of responsibility in software vulnerability processes

Agents of responsibility in software vulnerability processes

Modern software is infested with flaws having information security aspects. Pervasive computing has made us and our society vulnerable. However, software developers do not fully comprehend what is at stake when faulty software is produced and flaws causing security vulnerabilites are discovered. To address this problem, the main actors involved with software vulnerability processes and the relevant roles inside these groups are identified. This categorisation is illustrated through a fictional case study, which is scrutinised in the light of ethical codes of professional software engineers and common principles of responsibility attribution. The focus of our analysis is on the acute handling of discovered vulnerabilities in software, including reporting, correcting and disclosing these vulnerabilities. We recognise a need for guidelines and mechanisms to facilitate further improvement in resolving processes leading to and in handling software vulnerabilities. In the spirit of disclosive ethics we call for further studies of the complex issues involved.

Juha Röning | Marko Laakso | Ari Takanen | Petri Vuorijärvi

[1] Cem Kaner. Software Engineering and UCITA, 18 J. Marshall J. Computer & Info. L. 435 (2000) , 1999 .

[2] Jerry L. Hatfield,et al. How good is good enough , 2002 .

[3] Juha Röning,et al. Running Malicious Code By Exploiting Buffer Overflows: A Survey Of Publicly Available Exploits , 2000 .

[4] Keith W. Miller,et al. Computer society and ACM approve software engineering code of ethics , 1999 .

[5] Nancy G. Leveson,et al. Safeware: System Safety and Computers , 1995 .

[6] William A. Arbaugh,et al. IEEE 52 Computer , 1985 .

[7] J. Röning,et al. The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability Cases , 1999 .

[8] Philip Brey,et al. Method in computer ethics: Towards a multi-level interdisciplinary approach , 1999, Ethics and Information Technology.

[9] Norman Mooradian,et al. A Gift of Fire: Social, Legal, and Ethical Issues in Computing , 1998 .

[10] J. Moor. What Is Computer Ethics?* , 1985, The Ethics of Information Technologies.

[11] Keith W. Miller,et al. How good is good enough?: an ethical analysis of software construction and use , 1994, CACM.

[12] Anton Vedder. Accountability of Internet access and service providers – strict liability entering ethics? , 2004, Ethics and Information Technology.

[13] John Ladd,et al. Computers and moral responsibility: a framework for an ethical analysis , 1991 .

[14] Peter G. Neumann,et al. Computer-related risks , 1994 .