Position: How Regulation Will Change Software Security Research

TL;DR

This paper discusses how upcoming legislation will influence software security research, emphasizing the need for better tools, industry compliance, and collaboration between legal and technical fields to improve security practices.

Contribution

It highlights the importance of integrating legal standards into software engineering research and calls for stronger collaboration between legal scholars and computer scientists.

Findings

Legislation will impose new security compliance requirements.

Enhanced tools are needed to help industry meet legal standards.

Bridging legal and technical domains can improve security practices.

Abstract

Software security has been an important research topic over the years. The community has proposed processes and tools for secure software development and security analysis. However, a significant number of vulnerabilities remains in real-world software-driven systems and products. To alleviate this problem, legislation is being established to oblige manufacturers, for example, to comply with essential security requirements and to establish appropriate development practices. We argue that software engineering research needs to provide better tools and support that helps industry comply with the new standards while retaining effcient processes. We argue for a stronger cooperation between legal scholars and computer scientists, and for bridging the gap between higher-level regulation and code-level engineering.