Advertisement

Ethics and Information Technology

, Volume 6, Issue 2, pp 93–110 | Cite as

Agents of responsibility in software vulnerability processes

  • Ari Takanen
  • Petri Vuorijärvi
  • Marko Laakso
  • Juha Röning
Article

Abstract

Modern software is infested with flaws having information security aspects. Pervasive computing has made us and our society vulnerable. However, software developers do not fully comprehend what is at stake when faulty software is produced and flaws causing security vulnerabilites are discovered. To address this problem, the main actors involved with software vulnerability processes and the relevant roles inside these groups are identified. This categorisation is illustrated through a fictional case study, which is scrutinised in the light of ethical codes of professional software engineers and common principles of responsibility attribution. The focus of our analysis is on the acute handling of discovered vulnerabilities in software, including reporting, correcting and disclosing these vulnerabilities. We recognise a need for guidelines and mechanisms to facilitate further improvement in resolving processes leading to and in handling software vulnerabilities. In the spirit of disclosive ethics we call for further studies of the complex issues involved.

information security professional ethics security evaluation software development software testing software vulnerability 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. A. del Amo Calvo. The Liability of Professional Experts Like Risk Managers. In F. Galindo and G. Quirchmayr, editors, Advances in Electronical Government, Pre-Proceedings of the Working Conference of the International Federation of Information Processing WG 8. 5 and the Center for Computers and Law, Zaragoza, Spain, 10–11, February 2000.Google Scholar
  2. W. A. Arbaugh, W. L. Fithen and J. McHugh. Windows of Vulnerability:A Case Study Analysis. Computer, pp. 52–59, December 2000.Google Scholar
  3. S. Baase. A Gift of Fire:Social, Legal and Ethical Issues in Computing. Prentice-Hall Inc., 1997.Google Scholar
  4. P. Brey. Method in Computer Ethics:Towards a Multilevel Interdisciplinary Approach. Ethics and Information Technology, 2(2):125–129, 2000.Google Scholar
  5. W. R. Collins, K. W. Miller, B. J. Spielman and P. Wherry. How Good is Good Enough? Communications of the ACM, 37(1):81–91, 1994.Google Scholar
  6. D. Gotterbarn, K. Miller and S. Rogerson. Computer Society and ACM Approve Software Engineering Code of Ethics. Computer, 32(10):84–88, 1999.Google Scholar
  7. T. F. Johnson. Ethical Issues:In Whose Best Interest. In T. F. Johnson, editor, Handbook on Ethical Issues in Aging, pp. 17–18, Greenwood Press, Westport, Connecticut London, 1999.Google Scholar
  8. C. Kaner. Software Engineering and UCITA. Computer & Information Law, 18(2), 1999.Google Scholar
  9. M. Laakso, A. Takanen and J. Röning. The Vulnerability Process:A Tiger team Approach to Resolving Vulnerability CasesS. In Proceedings of the 11th FIRST Conference on Computer Security Incident Handling and Response, Brisbane, 13–18 June 1999.Google Scholar
  10. J. Ladd. Computers and Moral Responsibility:A Framework for an Ethical Analysis. In C. Gould, editor, The Information Web:Ethical and Social Implications of Computer Networking, pp. 207–227, Westview Press, Boulder, Colorado, 1989.Google Scholar
  11. N. G. Leveson. Safeware:System Safety and Computers. Addison-Wesley Publishing Company, 1995.Google Scholar
  12. J. Moor. What is Computer Ethics. Metaphilosophy, 16(4): 266–275, 1985.Google Scholar
  13. P. G. Neumann. Computer-Related Risks. ACM Press/ Addison-Wesley Publishing Company, 1995.Google Scholar
  14. A. Takanen, M. Laakso, J. Eronen and J. Röning. Running Malicious Code by Exploiting Buffer Overflows:A Survey of Publicly Available Exploits. In Proceedings of the 9th Annual EICAR Conference, Brussels, Belgium, 4–7 March, 2000.Google Scholar
  15. A. Vedder. Accountability of Internet Access and Service Providers-Strict Liability Entering Ethics? Ethics and Information Technology, 3(1):67–74, 2001.Google Scholar

Copyright information

© Kluwer Academic Publishers 2004

Authors and Affiliations

  • Ari Takanen
    • 1
  • Petri Vuorijärvi
    • 1
  • Marko Laakso
    • 1
  • Juha Röning
    • 1
  1. 1.University of OuluFinland

Personalised recommendations