6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Mecealus Cronkrite et al.<br />
trivial. Today most web code is generated in content management frameworks so the workload has<br />
switched from the individual developer to the tools.<br />
3.3 Mitigation: Professionally license CCI software developers and publishers<br />
Many vital economic sectors in the physical world have accredited professionals to create a culture of<br />
quality and security. Electricians, architects, and engineering professionals are certified and accredited<br />
to practice because their quality of work affects public safety and infrastructure. However, unlike<br />
other CI professions there are no legally recognized accreditation processes for IT. Anyone can develop<br />
software without liability for the behaviour of that software. IT workers design, construct, and<br />
manage applications, databases, and network systems for all types of public trust transactions. They<br />
do this all without the professional support systems.<br />
We can relate the safe and security measures used in other professions as a model for software assurance.<br />
Like these conventional professions, IT professions are also responsible for major portions<br />
of the critical infrastructure in the cyber world. “[IT] practitioners can produce results as inconvenient<br />
or dangerous as any medical or legal mishap, without their having the amount of regulation or informed<br />
public scrutiny which both those areas command.” (Wikes, 1997: 88) By leveraging the existing<br />
professional frameworks that supports other CI professions such as accounting, engineering, and<br />
medicine, we can adopt policies and technologies that support improved public safety. Existing technology<br />
systems can create accountability for the software industry and transparency for its customers.<br />
While academic training and apprenticeship still provides the basis of disseminating knowledge of<br />
good models and best practices, the professional boards and licenses should support these practices<br />
with ethics. Certification and licensing options have the potential of legitimizing IT as a profession by<br />
improving the quality of output. (Wilkes, 1997) These certifications still face implementation challenges<br />
as there are numerous standards and organization bodies in the software industry, none of<br />
them have any enforcement capability that makes adoption of any minimum standard extremely difficult.<br />
Key industry organizations such as ACM and IEEE, and others that lead the professionalism of<br />
the industry only have voluntary membership status which makes their effectiveness challenging.<br />
Any application that supports the CI should have certified developers and publishers licensed to code<br />
for the CCI systems. By differentiating, then the consumer will get security accountability built into<br />
systems. The market will begin to shift to demand the same levels of quality in other industries, which<br />
will encourage software developers to distinguish themselves in the marketplace. This would also<br />
raise the barriers to entry on the software development market and ease the pressure on existing<br />
competitors who are able to adopt assurance practices, which will benefit both the software industry<br />
and the consumer.<br />
4. Market risks preventing software quality and security and proposed mitigations<br />
The current highly competitive commercial software marketplace does not have the incentives or repercussions<br />
to implement standards. In many situations, security is always an optional add-on. A<br />
common business argument to the developer is to ‘worry about security later’. However, this would<br />
not occur if a mechanic had reported that a vehicle was unsafe. There is widespread lack of individual<br />
autonomy; IT workers feel that they cannot prioritize quality and safety ahead of production speed and<br />
‘agility’ within their organization due to business pressures. With government supported licensing, the<br />
individual practitioner will be able to gain autonomy and legitimacy for security driven efforts as a matter<br />
of compliance.<br />
The customer is at a disadvantage in market knowledge. Consumers expect that reasonable security<br />
measures but there is no such assurance. Typically, the customer has to require specifically in their<br />
contract specific security measures. If security is not explicitly in the requirements, it is a burden on<br />
the development company to implement it. All estimates for the true cost of security in the system are<br />
wrong from the first unsecured prototype that delivered to the client. The customer is left to learn<br />
about security by taking a risk acceptance posture by default. By accepting unsecure software, they<br />
incorrectly feeding the market an acceptance signal. Without security forced to be “built-in” to the<br />
process, the uninformed consumer does not know to discriminate between secure and non-secure<br />
technologies and demand them accordingly to signal more supply.<br />
71