Eugene Spafford

Title: Relating Software Engineering and Information Security

Biographical Sketch:
Eugene H. Spafford is a professor of Computer Sciences at Purdue University, a professor of Philosophy (courtesy appointment), and is Director of the Center for Education and Research in Information Assurance and Security (CERIAS). Spaf 's research career has included work in information security, software engineering, distributed systems, and professional ethics.

Dr. Spafford is a Fellow of the ACM, Fellow of the AAAS, Fellow of the IEEE, and is a charter recipient of the Computer Society's Golden Core award. He was the year 2000 recipient of the NIST/NCSC National Computer Systems Security Award, generally regarded as the field's most significant honor in information security research. In 2001, he was elected to the ISSA Hall of Fame, and he was awarded the William Hugh Murray medal of the NCISSE for his contributions to research and education in infosec.

Among his many activities, Spaf is co-chair of the ACM's U.S. Public Policy Committee and of its Advisory Committee on Computer Security and Privacy, is a member of the Board of Directors of the Computing Research Association, and is a member of the US Air Force Scientific Advisory Board.

Abstract of Talk:
There are many connections between software engineering and information security. Some are obvious, such as the process of detecting software faults, and some are more subtle, such as definition and capture of privacy requirements. In both infosec and SE there are complex challenges of how best to balance cost, design, technology, and time to market: Too often, good practices are skipped because of cost or time. Meanwhile, failures in both areas can lead to everything from minor inconvenience to catastrophic failures and compromises.

In this talk, I intend to explain some of the connections I see between software engineering and information security. In particular, I hope to illustrate how some of the challenges -- and advances -- in infosec have a basis in software engineering. Some of these suggest high-leverage areas of research, while others provide insight about why we will continue to experience security problems in widely-deployed software. For instance, is there truth to the contention that open source software is more secure than proprietary source? Along the way, I will connect Las Vegas, the PDP-11, Roman chariots, and a common security flaw as one illustration of how unintended consequences shape both security and software development.