Скачать или смотреть Is It Time For Software Liability? w/ Derek Weeks - It’s

Subscribe and follow: https://bit.ly/listen-on-all-podcast-.... View the transcription, find links to resources mentioned in this segment.

Fierce Pharma recently reported some intense public scrutiny on Zantec that started in 2019 when an online pharmacy found high levels of a likely carcinogenic ingredient in the drug and its generic forms as well. Recalls followed by the FDA who pulled the drug from the market in 2020.
Bloomberg also reported that Zantac’s maker kept quiet about the cancer risks for 40 years. But what does this have to do with cybersecurity?
Well, I’m Derek Weeks reporting from Bethesda, Maryland.
This week, Tim Starks at the Washington Post reported on comments made by Cybersecurity and Infrastructure Security Agency Director Jen Easterly at Carnegie Mellon on Monday. Jen Easterly said “Congress should advance legislation allowing software manufacturers to be held legally liable for the insecurity of their products, and it should also shield companies that develop secure software from legal liability.”
The idea of holding software makers liable for their security shortcoming, is something that was floated by Bruce Schneider as far back as 2002. If you go and Google those, they are definitely easy to find and you’ll find still relevant today. I started blogging about the topic, I think back in 2015.
So Easterly is pushing for two things: one, if you develop known insecure software or software with known vulnerabilities in it, you should be held accountable. If you follow a secure-by-design development process, then you should have protection from liability in those kind of practices.
But going back to the Zantac manufacturing process and the carcinogenic ingredient found in that drug, everyone knows that it’s illegal for Zantac to ship products with known carcinogens in them. Now, when it comes to software, why is it legal for companies to ship known vulnerable code or known vulnerable open source components in their software?
It’s a practice that has been reported on for a long time. We know there are known vulnerabilities in code, but there’s not enough diligence in software development practices to remove all of those known vulnerable pieces of code. The industry has for a long time tried deflection practices to say: hey, not all of these known pieces of vulnerable code are called within the application. And it’s not possible for us to keep track of everything that we’re using in the code.
I’m not speaking of shipping software with unknown vulnerabilities in the code. Those will always exist. We’ve known, and I’ve reported on for almost a decade now, that software companies ship known vulnerable open source components in their products.
And here’s the rub, when industry fails to police itself, you have the worst outcome possible – government regulation, that regulation if put in place, will feel out of touch because congress develop for the technology industry. It will also weigh on the operating budgets of technology companies or any company today that develops and ship software.
If Jen Easterly has her way, decades of not prioritizing this issue more, for companies that are developing software may soon bring unwanted consequences of our collective inaction.

#its505 #cybersecurity #opensource #softwareliability #CISA