Panel: Product Assurance
Proceedings 13th Annual Computer Security Applications Conference
Panel Theme: We know how to put functionality into product. However, significant concerns remain as we try to answer the following questions: How do we know how much assurance we obtain as a result of adding functionality to a system? How much assurance is enough? What is assurance and how can it be measured? What are some new techniques for obtaining and measuring assurance? Can process replace evaluation? Can process measurement tell us anything about assurance? Is evaluation sufficient,
... on sufficient, necessary, or cost-effective? These concerns are magnified by disagreements over what constitutes assurance and how can it be identified and measured. The Panel on Assurance presents a wide range of perspectives on these questions. Panelists will present innovative approaches to identifying, obtaining, and measuring assurance. They report on new developments in the field and new techniques for defining and solving the most perplexing information security questions of the day. Position Statements: Mike Diaz, Motorola Risk Exposure and Trusted Solutions. Development of Trusted Software Solutions traditionally involved a painstaking evaluation of the source code as well as the architecture and environment of the system. This evaluation after the fact was time consuming, resource dependent and relied on a risk avoidance paradigm. The shift towards a commercial paradigm away from DOD applications requires an increased focus on time to market and a shift away from the risk avoidance paradigm to that of risk exposure management. The new paradigm requires that the developer select the appropriate amount of assurance in order to optimize performance, usability and time to market while targeting a certain amount of risk exposure. Dan Gambel, Mitretek, Inc.