Derek Weeks, VP and DevOps Advocate at open source software security firm Sonatype commented below on the news that France is planning to put manufacturer liability on the security of their products for their entire lifecycle. Derek believes that this is a step in the right direction for security and for software assembly in general.
Derek Weeks, VP and DevOps Advocate at Sonatype:
“The French government plans to impose legislation that would make manufacturers liable for the security of their products that are software based. Today, 80 – 90% of applications are composed from reusable software parts called open source components. While these parts play a vital role in driving innovation and powering the world as we know it, the 2017 State of the Software Supply Chain Report revealed that 1 in 18 of these parts have known security vulnerabilities.
“No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products. Why should software manufacturers be any different? Shipping known vulnerable software components in one’s product in any other manufacturing industry would be considered gross negligence.
“The UK is one country that is already taking this head on from a legislative standpoint, and providing an example to follow and emulate. The National Cyber Security Strategy 2016-2021 states that ‘Businesses and organisations decide on where and how to invest in cybersecurity based on a cost-benefit assessment, but they are ultimately liable for the security of their data and systems.’ As attacks and breaches are often the result of easily exploited – and easily rectified – vulnerabilities, there is no excuse for manufacturers not to follow suit. The ICO went as far to fine Gloucester City Council £100,000 in June 2017 for not preventing a cyber-attack that exploited a very well-known vulnerability – Open SSL Heartbleed.
“Fortunately, the challenges of vulnerable software components are easily solved by using a DevSecOps approach – a practice manufacturers should be adopting for software-based products. This enables security and governance to be automated from the start and implemented everywhere within a DevOps pipeline. Instead of using manual reviews of code, which leaves businesses at risk of human error, DevOps practices can utilise machines to adjudicate all components.
“Increased governance practices will become even more relevant this coming May when GDPR enforces the requirement to design security in from the beginning. For those not yet paying attention to software liability, now is the time.”