Note: There is no hard truth to many of the topics, and for example, software companies, hackers, and governments could have wildly differing incentives and opinions. You are encouraged to make up your own opinion. The lecturer’s opinions are of his own, and do not necessarily reflect the opinion of his employer – although I’d be happy if they did.

Note: This session concentrates on Finland and the European Union – because we’re in Finland. We purposefully do not cover legislation elsewhere in the world, neither do we cover national differences within the EU. EU legislation through directives allows for considerable national variance.

Part 1: Network effects, externalities, disclosure and vulnerability markets

Discuss: What would security debt consist of? What does its interest look like? Can quality (or security) debt be a calculated risk management strategy? Why or why not? (For example: We take a bit of quality debt to be able to meet a shipping deadline, e.g., a Christmas market, that has much larger expected payback than the debt.)

Discuss: Can you name any software products that you really could not switch even if they had security issues? Would you need to continue using them?

Discuss: What do you think about describing software security as an externality? What externalities are there that relate to lack of software security? What would be an internalising activity for these?

Discuss: Do you think that selling vulnerabilities is ethical? If not, why? Isn’t it a natural market economy solution to negative externalities?

Discuss: Do you think governments should stock up with vulnerabilities that can be used in attack / retaliation? If you were the supreme commander, when would you authorise exploiting vulnerabilities, and against whom?

Part 2: Software Security Regulation

Part 3: Software Security Standardisation

Reading list

This is a list of useful documents that will enhance your understanding of the course material. The reading list is session-by-session. “Primary” material means something you would be expected to read if you are serious about the course, and may help you to do the weekly exercise; “Additional” material you may want to read if you would like to deepen your understanding on a specific area.

Note: There are further pointers in the week 6 weekly exercise background material.

Primary material

Additional material


This is lecture support material for the course on Software Security held at Aalto University, Spring 2018. It is not intended as standalone study material.

Created by Antti Vähä-Sipilä <>, @anttivs. Big thanks to Sini Ruohomaa and Prof. N. Asokan.