It seems like yesterday when when Representative Ed Royce proposed legislation titled the “Cyber Supply Chain Management and Transparency Act.” Almost three years have passed since Congressman Royce introduced his bill in November 2014 and helped educate the world about serious security vulnerabilities (such as Apache Struts and Heartbleed) lurking inside open-source components that are commonly used by anyone and everyone building modern software applications.
Broadly speaking, Royce’s bill would have required technology vendors selling software to the U.S. government to do the following:
- Provide customers with a bill of materials documenting all open-source components utilized in the software application;
- Demonstrate that the component versions utilized in the application have no known vulnerabilities (CVEs from NVD) for which less-vulnerable alternatives are available;
- Provide a mechanism to promptly remediate new vulnerabilities when they are discovered.
Despite dying a quiet death, the Royce bill helped to pioneer an important conversation between government and industry leaders with respect to the age-old question of software liability.
This conversation continues to evolve—and just recently Sen. Mark Warner, a Democrat in Virginia, and Sen. Cory Gardner, a Republican from Colorado, introduced the “Internet of Things Cybersecurity Improvement Act of 2017“—an attempt to force companies selling IoT devices to federal agencies to adhere to new security standards.
Just like the Royce bill before it, the newly proposed legislation from Sen. Warner would require vendors selling IoT-connected devices to government customers to do three simple things:
- Provide written certification that IoT devices do not contain hardware, software or firmware components with any known security vulnerabilities or defects listed in the NVD or similar databases.
- Notify government customers of any new security vulnerabilities or defects subsequently discovered.
- Provide a mechanism that allows for any future security vulnerability or defect in any part of the software or firmware to be patched or fixed in a timely and secure manner.
As Bruce Schneier observed more than a decade ago, there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the market often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.
Although the Royce bill failed and the future of the Warner bill is yet to be determined, there is an increasingly steady breeze blowing from Washington, D.C., that is gently nudging the entire software industry toward a future in which vendors will no longer be immune to liability for damages due to known security vulnerabilities or defects.
About the Author / Matt Howard
A proven executive and entrepreneur with over 20 years experience developing high-growth software companies, Mr. Howard leads Sonatype‘s corporate marketing, strategic partnering, and demand-generation initiatives. Prior to Sonatype, he co-founded, developed and successfully sold two software companies. Earlier in his career, Howard led sales and marketing at USinternetworking (acquired by AT&T) and Groove Networks (acquired by Microsoft), where his teams distributed workgroup collaboration products to enterprise customers. Howard holds a Bachelor of Arts degree from The George Washington University and a Master of Arts from George Mason University.