The “Security by Design” project is a multiyear initiative with the objective of creating a density of work product in the area of software design security. This project evaluates several elements of software security, from the secure-by-design and secure-by-default principles to how legal and policy processes could require or incentivize security by design from software developers. It features long-form research papers, articles, podcast interviews and documentation on these questions.
-
A Government Cybersecurity Backstop Isn’t a Silver Bullet
An effective government backstop would require preexisting consensus on security standards, data sharing, and cooperation. -
Measuring Policy Effectiveness of Cyber Defensibility and Deterrence
The United States needs better ways to understand success in cyberspace. Doing so is now within reach, with the right, top-down approach. -
Lawfare Daily: Eugenia Lostri and Justin Sherman on Security by Design in Practice
What does 'Security by Design' mean in practice? -
“Security by Design” in Practice: Assessing Concepts, Definitions, and Approaches
There is significant consensus about the meaning of "security by design," but less on the definition and utility of "security by default." -
Investing in Rust
U.S. public policy can help facilitate market adoption of a relatively new, efficient, and safe programming language called Rust. -
Making Attestation Work for Software Security
Attestation will be part of the federal government’s software procurement process for the foreseeable future. Let’s make it work. -
Moving Slow and Fixing Things
The United States could learn from Europe’s approach to incentivizing cybersecurity. -
Standards of Care and Safe Harbors in Software Liability: A Primer
Deciphering the Biden administration’s nascent software liability efforts. -
Incentives for Improving Software Security: Product Liability and Alternatives
Tort liability is the wrong approach to improving software security; process transparency and Executive Order 14028 offer a path forward. -
Software Liability and Insurance
Insurers can bring unique evidence and legal strategies to software liability cases if the regime creates a path for subrogation. -
Questioning the Conventional Wisdom on Liability and Open Source Software
To improve cybersecurity, open source software should not be completely exempt from software liability. -
Will a Cybersecurity Safe Harbor Raise All Boats?
A private certfication model, leveraging best-in-class cybersecurity assessment and audit practices, could be bolstered by public auditors and reinforced by downstream litigation models with relatively l...