1 / 21

A Pseudoperipatetic Application Security Handbook For Virtuous Software

A Pseudoperipatetic Application Security Handbook For Virtuous Software. Keith Douglas Statistics Canada (Standard disclaimer). Outline. Introduction and What is Application Security? Nature of Technology Nature of Virtue How to Obtain Virtue What Results from Virtue

donnagarrett
Download Presentation

A Pseudoperipatetic Application Security Handbook For Virtuous Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Pseudoperipatetic Application Security Handbook For Virtuous Software • Keith Douglas • Statistics Canada • (Standard disclaimer)

  2. Outline • Introduction and What is Application Security? • Nature of Technology • Nature of Virtue • How to Obtain Virtue • What Results from Virtue • Who and What is Virtuous • What are Specific Virtues • Conclusion

  3. Intro / What is AS? • 10-15 years of increased awareness of AS • Hard to distill many volumes, whitepapers, reports, etc. into material suitable for developers, etc. • “Virtuous software” - Evelyn Perkins • Starting point here: Nicomachean Ethics • Might be useful to have to follow along • Implicit background: KD is Canadian federal public servant; original audience similar • Virtues of both humans and software

  4. Nature of Technology • Art vs. Technology vs. Craft - not in text but important later (vs. science, too - Douglas; cf. Diamond) • 1094a1 - Neverthless same in one way: aim at some good • Goal in mind about what we develop • Don’t leave software open to be exploited for evil

  5. Nature of Technology • 1094b2 - Demonstration often (Turelli?) impossible in ethics • Important because of developer mindset of exact specifications, precise languages, detailed rules, etc. • 1100b15 - Virtuous activities more durable than knowledge • Again mindset important; tools change, exploits change, but goal of a good AS approach should be better developers, etc. too.

  6. Nature of Technology • 1105a8 ff - Virtue is concerned with “what is harder” • Very true of AS - easy to forget about it and “just get it working” • Spinoza?

  7. Nature of Technology • 1106a15-17 - 3 characteristics of virtuous software from 3 excellences of something • Good condition / not easily broken • “Broken” often used of buggy software (Aleph1) • Allows well-use of its functions • And isn’t infected, crashing, etc. • Not some other use of its proper functions • Don’t overengineer - attack surface too large, and hence illegit use.

  8. Nature of Virtue • Bill and Ted • 1096a25 - More than one virtue • Security itself more than one: reliability, non-repudiability, non-disclosure, etc. • Possibly non-security virtues in software, etc. • Refutation of the unity thesis?

  9. Nature of Virtue • 1097b1, 1097b23 - Happiness chief virtue? • I don’t know • But argument interesting as proper functions more plausible in artifacts than humans • 1103b35 - Virtues can be intellectual • Thoroughness of testing, intellectual honesty, etc.

  10. Nature of Virtue • 1157b6 - Virtues can apply to states and activities • Data structures and algorithms? • 1179b1 - Must use virtue • Developers, etc. should get hands on experience in addition to books, talks, etc.

  11. Obtaining Virtue • 1103a20 - Virtue from habit • Tacit knowledge - how a lot of our skills in software design, programming, testing etc. arise. (Polanyi; cf. Wimsatt) • Do it when it doesn’t matter as much to “get in the habit” • 1170a11 - Train in virtue by being in company of the good - more on learning from examples

  12. Obtaining Virtue • 1180a6 - Creating virtue through legislation • Arguably already done partially in my workplace • Might need more specifically on topic of AS (one can hope!)

  13. What Results • 1101b30 - Extrinsic benefits to virtue (praise, etc.) • Aristotle here recommends something to managers and compensation specialists • I’ve received praise for my work in the area but not much else ...

  14. What Results • 1122b31 - The effects on the vicious • Handles objections from colleagues about “moralizing software development” • We need not punish the poor programmer, etc. who makes a mistake, just encourage its correction, etc. Think rehabilitation, education.

  15. What Results • 1177a2 - Happiness • Sounds very odd to developers (and is contentious historically!) • But a virtuous development cycle ought to work to minimize the dreaded “fix” stage • A “hill-climbing situation” for sure

  16. Who is Virtuous • 1105a7 3 characteristics of virtuous agent: • Have knowledge: • Usual knowledge of tools, languages, etc. as well as of vulnerabilities and their remediations • Choose actions for their own sakes: • Don’t make arbitrary coding decisions. Use change request systems (e.g. Jira) • Actions must proceed from firm/unchangable character • Weaken (resistance to outside influence)and reminder about any ethical source

  17. What are Specific Virtues • 1115a6 - Courage discussed first • 5 sorts according to Aristotle • 3 sorts that I’ve found useful in computing: • Courage to confront authority - whistleblowing • Intellectual courage - courage to learn something new • Courage to be patient

  18. What are Specific Virtues • 1117b24 - Temperance • Reminders: • Not all virtues apply to all activities • How to construct list? • Even clearer with pride 1123b33 • Difficult in pluralistic society

  19. What are Specific Virtues • 1126b20, 1127a13 - Nameless virtues • Might well need new character traits and behaviours (both for us and software) that have well defined earmarks but no names (yet?) • “Off the wall” thinking outside the box • WAITFOR SQL injections (Clarke)

  20. What are Specific Virtues • 1129a1 - Justice • We need a better understanding of this to understand AS better • I will not do this here • Aristotle says the just is the lawful • Civil disobedience • Also says just is the proportional • Some vulnerabilities involve disproportion • DoS, buffer overrun

  21. Conclusion • Seen how one can start thinking about many areas of interest in AS by reading a work of virtue ethics • Use other traditions (e.g. Chinese) and sources (ancient - Meno; modern - Crisp and Slote) • Virtues for each activity? Software vs. humans?

More Related