University of Minnesota
University Relations
myU OneStop

Go to unit's home.

Home | Seminars and Symposia | Past seminars/symposia: Tuesday, January 11, 2011

DTC Leading Edge Seminar Series

Responsibility for the Harm and Risk of Security Flaws


Cassio Goldschmidt
Senior Manager, Product Security

Tuesday, January 11, 2011
3:30 p.m. reception
4:00 p.m. seminar

401/402 Walter Library

View webcast of this seminar

Cassio Goldschmidt

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks, such as the internet, has made software security (or the lack of software security) a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to over invest in activities that don't generate the desired return on investment or under invest on mitigation, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood. Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors' decisions to invest on security by voting with their money every time software is purchased or pirated. This presentation outlines the role of each player involved in the software life cycle and the incentives (and disincentives) they have to perform the task, the network effects of their actions and the results on the state of software security.


Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec's internal secure software development process, training, threat modeling, penetration testing and vulnerability management. Cassio's background includes over 14 years of technical and managerial experience in the software industry. Cassio is also a frequent speaker at security conferences worldwide. Cassio holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a master's degree in software engineering from Santa Clara University, and masters of business administration from the University of Southern California.