Stephen de Vries is Co-Founder & CEO of IriusRisk.
getty
Legislators are taking the fight to cybercrime. The Biden administration’s National Cybersecurity Strategy published in March 2023, which proposed introducing liability for software providers, will completely change the way software is developed and taken to market. The legislation would give the U.S. the strictest rules for secure software anywhere in the world.
Meanwhile, in the EU, the European Parliament passed the Cyber Resilience Act, and it’s likely to become law. It does not go as far on liability but adds an interesting aspect that U.S. legislators may wish to consider.
The Act proposes allowing consumers to “see” what security has been applied to a product in order to make more informed decisions. This additional aspect of visibility means companies will not only need to implement good software security but also show they have implemented it.
Given the global importance of software companies and decades of political prevarication—despite an increasingly sophisticated threat—it’s about time.
The idea of making a manufacturer liable for a product is not revolutionary. In fact, it applies to just about every sector except software. Would you accept a car manufacturer disclaiming liability for the safety of the components that make up its vehicles? How about electrical appliances in our homes?
Yet that is just what software manufacturers do—placing liability on nonexperts, individuals or small businesses to manage the security of the software despite the potential for hugely damaging (even life-threatening) consequences.
Why are politicians acting now?
First, and in plain terms, software has become too important. In today’s world, software is transforming every sector, and almost every aspect of our lives depends on it in some way. The direction of travel is only one way.
Second, as a result of this dependence, we find ourselves under constant attack—a bombardment that the market has yet to respond to adequately.
Incentivized to get their products to market quickly, many software providers have taken shortcuts on security or sought to fix things down the road through patches and updates. This includes some of the biggest players in the market; “Patch Tuesday” has been designated the unofficial title of Microsoft’s monthly security fix releases.
A litany of examples exists where organizations purportedly haven’t properly addressed security flaws they knew about. Wired reported that Facebook failed to disclose a flaw in its “contact import” feature in 2019 that later made public the email addresses and phone numbers of over 500 million Facebook users. High-profile breaches like this involving personal data often become public knowledge, but they are just a small percentage of incidents—most of which never reach the media.
How does business need to adapt?
Something known as “security by design” needs to be built into software from its very outset. In simple terms, good practice means “threat modeling” the design of the software to be able to plan what security controls and features need to be built into it.
However, it will take a major shift in how organizations approach security. At the moment, too many software architects and developers who design the software and write the code don’t have the technical knowledge to build secure software, and they don’t see security as their responsibility. Meanwhile, the security experts don’t get involved until after the software has been built.
Businesses should start thinking about security much earlier, and it must be viewed as a joint enterprise. At the design phase, software architects, developers and security experts must be encouraged to work together to identify potential vulnerabilities and work out how they can be mitigated.
Starting with a design that is secure is also going to become even more critical as we begin to rely on AI to write software code. AI may well be smart enough to write flawless code based on a software design, but if that design isn’t secure, it will build insecure software—potentially at a much greater speed and scale than ever before.
Building in these processes at an early stage may seem like a significant burden, especially for organizations that are building thousands of applications. However, technology is also making strides here, and automation can generate threats and countermeasures in a software design.
In the U.S., EU and around the world, legislation is beginning to catch up with the cybersecurity landscape, but the battle is far from won. Political action is welcome, but it will take time to implement and may be slow to adapt to a fast-moving environment. The signal to business is clear, however, and any software company not implementing security by design will soon be left behind.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Forbes – https://www.forbes.com/sites/forbestechcouncil/2024/06/18/politicians-are-coming-for-makers-of-insecure-software-its-about-time
