Security → CISA:Software makers shouldn't lawyer their way out of sec responsibilities

»www.theregister.com/2023 ··· oftware/

quote:

---

During a speech at Carnegie Mellon University on Monday, [CISA Director Jen] Easterly said technology providers must prioritize security in their products over other incentives such as cost, features, and speed to market. And she suggested that the government hold companies liable for selling vulnerable products that criminals and nation states later exploit in cyberattacks. "Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services," Easterly said. "While it will not be possible to prevent all software vulnerabilities, the fact that we've accepted a monthly 'Patch Tuesday' as normal is further evidence of our willingness to operate dangerously at the accident boundary," she added. ... Making software "secure-by-design," and thus putting the liability on the vendors to sell safe products out of the box instead of pushing that responsibility on to consumers and businesses, is a drumbeat that CISA has been pounding under Easterly's leadership.

---

Regards

And unfortunately it's a drumbeat that's more than drowned out by the deafening roar of a business-as-usual, test-it-in-the-field business model that continues to exist in software issuance, as it has for at least 35 years.