The French government has drawn up proposals to hold software manufacturers accountable for security vulnerabilities.
The proposed legislation would make manufacturers liable for the security of a product while it is on the market, and with the possibility of requiring its software to be made open-source at end-of-life. Today around 90 per cent of software applications are composed of reused software parts which are often vulnerable to cyber attacks. While these parts play a vital role in driving innovation and powering the world as we know it, the 2017 State of the Software Supply Chain Report revealed that 1 in 18 of these parts have known security vulnerabilities.
Derek Weeks, VP and DevOps advocate at Sonatype believes this kind of regulation can only be a good thing. “No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products,” he said. “Why should software manufacturers be any different? Shipping known vulnerable software components in one’s product in any other manufacturing industry would be considered gross negligence.”
He added: “The UK is one country that is already taking this head on from a legislative standpoint, and providing an example to follow and emulate. The National Cyber Security Strategy 2016-2021 states that ‘Businesses and organisations decide on where and how to invest in cybersecurity based on a cost-benefit assessment, but they are ultimately liable for the security of their data and systems.’ As attacks and breaches are often the result of easily exploited – and easily rectified – vulnerabilities, there is no excuse for manufacturers not to follow suit. The ICO went as far to fine Gloucester City Council £100,000 in June 2017 for not preventing a cyber-attack that exploited a very well-known vulnerability – Open SSL Heartbleed.”