Position: How Regulation Will Change Software Security Research

Steven Arzt,Linda Schreiber,Dominik Appelt
2024-06-06
Abstract:Software security has been an important research topic over the years. The community has proposed processes and tools for secure software development and security analysis. However, a significant number of vulnerabilities remains in real-world software-driven systems and products. To alleviate this problem, legislation is being established to oblige manufacturers, for example, to comply with essential security requirements and to establish appropriate development practices. We argue that software engineering research needs to provide better tools and support that helps industry comply with the new standards while retaining effcient processes. We argue for a stronger cooperation between legal scholars and computer scientists, and for bridging the gap between higher-level regulation and code-level engineering.
Software Engineering
What problem does this paper attempt to address?
### What problems does this paper attempt to solve? This paper explores the impact of regulations (especially the EU's Cyber Resilience Act (CRA)) on software security research and industrial applications. Specifically, it attempts to solve the following core problems: 1. **The gap between existing vulnerabilities and regulatory requirements**: - Although many tools and methods have been proposed in the field of software security over the years to improve software security, there are still a large number of vulnerabilities in software - driven systems and products in the real world. - New regulations such as CRA require manufacturers to comply with strict safety standards and establish appropriate R & D practices, which brings new challenges to software engineering research. 2. **Cooperation between legal scholars and computer scientists**: - The paper emphasizes the need for closer cooperation between legal scholars and computer scientists to bridge the gap between high - level regulations and code - level engineering. This cooperation helps to ensure the practical feasibility of regulations and the rationality of technical implementation. 3. **Development of compliance tools and technologies**: - The research community needs to provide better tools and support to help the industry meet new regulatory requirements while maintaining efficient processes. For example, how to embed design and security checks (such as code analysis, fuzz testing, etc.) in risk models to ensure the security of the entire product, not just individual components. 4. **The impact of regulations on the software development process**: - Regulations such as CRA affect not only the finished product, but also the entire software development and implementation process. Therefore, software engineers need to have a basic understanding of legal principles and consider potential legal risks during the development process. 5. **Documentation and evidence requirements**: - Regulations such as CRA require comprehensive documentation of implementation measures to meet legal requirements. This includes detailed documentation and evidence so that the appropriateness and proportionality of the measures taken can be proven when questioned by regulatory agencies or courts. 6. **Wide - ranging applications across industries**: - Many industries that have not been strictly regulated in the past must now comply with these regulations, which poses new requirements for their software development and security management. For example, even free mobile game applications may be regulated because they make a profit through advertising. In summary, this paper aims to explore how regulations change the direction and focus of software security research and proposes a series of research challenges and technical requirements to respond to these changes.