Contracting over the quality aspect of security in software product markets

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Contracting over the quality aspect of security in software product markets

Full text

Pdf (167 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 2nd ACM workshop on Quality of protection table of contents

Alexandria, Virginia, USA

SESSION: Software security metrics table of contents

Pages: 19 - 26

Year of Publication: 2006

ISBN:1-59593-553-3

Author

Jari Råman

University of Lapland, Rovaniemi, Finland

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 4, Downloads (12 Months): 58, Citation Count: 0

Additional Information:

abstract references index terms

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1179494.1179499 What is a DOI?

ABSTRACT

Secure software development has gained momentum during the past couple of years and improvements have been made. Buyers have started to demand secure software and contractual practices for taking security into consideration in the software purchasing context have been developed. Software houses naturally are very keen to providing what their potential customers' desire with respect to security and quality of their products. This study analyses the capacity of private bargaining to incite secure software development and suggests methods for improvement.I argue that without appropriate regulatory intervention the level of security will not improve to meet the needs of the network society as a whole. There are not appropriate incentives for secure development in the market for software products. The software houses do not have to bear the costs resulting from vulnerabilities in their software and the buyers' capability to separate a secure product from an insecure one is limited.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	M. Claderini, M. Cantamessa, and A. Palmigiano. Analysis of the Economic Impact of the Development Risk Clause as provided by the Directive 85/374/EEC on Liability for Defective Products. European Communities, 2003. Study for the European Commission, Contract No. ETD/2002/B5.
	2	H. Collins. Regulating Contracts. Oxford University Press, New York, 1999.
	3	D. Fisher. Contracts getting tough on security. eWeek, April 15, 2002.
	4	G. Howells and T. Wilhelmsson. EC and US approaches to consumer protection -- should the gap be bridged? Yearbook of European Law, 17:207--268, 1997.
	5	J. Meltzer, R. Freeman, and S. Thompson. Product Liability in the European Union. European Communities, 2003. A Report for the European Commission, MARKT/2001/11/D,Contract No. ETD/2001/B5-3001/D/76.
	6	M. Reimann. Product liability in a global context: the hollow victory of the european model. European Review of Private Law, 11(2):128--155.
	7	Jari Råman, Network Effects and Software Development -- Implications for Security, Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 7, p.70186.1, January 05-08, 2004
	8	Fred B. Schneider, Trust in Cyberspace, National Academy Press, Washington, DC, 1998
	9	D. Stampley. Privacy compliance enforcement, part i: Weak application security equals noncompliance. InformationWeek, June 20, 2005.
	10	ITU-T. ICT security standards roadmap v1.0. available at http://www.itu.int/ITUT/studygroups/com17/ict/index.html, International Telecommunications Union, Telecommunication Standardization Sector, Study Group 17, November 2005.
	11	NCSP National Cyber Security Partnership. Technical standards and common criteria, 2004. Task Force Report, available at http://www.cyberpartnership.org.
	12	VAHTI Valtionhallinnon tietoturvallisuuden johtorymä. Valtionhallinnon tietotekniikkahankintojen tietoturvallisuuden tarkistuslista, 2001. Only in Finnish.