Staying ahead of the cyberattack curve in a constantly evolving world requires a comprehensive strategy. Today's release of the Biden-Harris Administration's National Cybersecurity Strategy provides an extensive roadmap for impacting both public and private security efforts. In this blog post, we’ll take an in-depth look at three of the most software-related strategic objectives: software liability, open-source software usage, and cybersecurity workforce readiness.
Software Liability Overview
Software liability refers to the legal and financial responsibility of individuals or entities for any damages or losses caused by their software. This can include issues such as security vulnerabilities, bugs, or other defects that result in harm to users or their data.
The National Cybersecurity Strategy states: “Poor software security greatly increases systemic risk across the digital ecosystem... We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software...” Software liability in the form of specific rules and regulations can be complex and nuanced. The strategy mentions a focus on developing “an adaptable safe harbor framework” that will define what the reasonable precautions need to be for an entity to know they are doing their due diligence.
Chris Wysopal, Veracode Founder and CTO, comments: “Software can’t be 100% perfect - but what’s reasonable? Surely the companies who aren’t doing anything need to be liable, but it makes sense for there to be a safe harbor for those who do due diligence. So the question remains: what qualifies a safe harbor? Vendors need a concrete list of activities and features they need to meet the requirements of a safe harbor framework.” Chris Wysopal first spoke up about the idea of software liability to make IT more defensible 25 years ago when he testified to the U.S. Senate Committee on Governmental Affairs.
Open-source Software Usage Overview
Open-source software (OSS) is software that is made freely available to the public, along with its source code, under a license that allows users to view, modify, and distribute the code as they see fit. It has become increasingly popular in recent years due to its flexibility, transparency, and community-driven development model. While none of the strategy’s objectives are specifically about open-source software, it is mentioned several times throughout the full strategy regarding modernizing federal defenses and furthering the NIST Secure Software Development Framework (SSDF).
Open-source software, being a constantly evolving landscape, comes with many security unknowns. Get the data you need to use open-source libraries securely in our State of Software Security v11: Open Source Edition. Additionally, on the day of this blog being published, Veracode is the only FedRamp authorized company that has Software Composition Analysis (SCA), which is used for finding vulnerabilities in open-source libraries.
Cybersecurity Workforce Readiness Overview
Cybersecurity workforce readiness is essential for maintaining the integrity of critical systems and data in today’s digital age. “Strategic Objective 4.6: Develop a National Strategy to Strengthen Our Cyber Workforce” doesn’t just mention they will be focusing on filling the growing gap of vacancies in cybersecurity positions, but it makes special mention of filling the positions with a focus on diversity. The strategy states: “Addressing systemic inequities and overcoming barriers that inhibit diversity in the cyber workforce is both a moral necessity and a strategic imperative.”
While the issue of workforce readiness is larger than just software security, it has a great impact on secure software development. Research in a recent ESG Survey Report tells us that 35% of organizations say that less than half of their development teams participate in formal security training, and less than 50% require their developers to engage in formal training more than once each year. Veracode supports bridging this skills gap by providing free, immersive developer education via Security Labs Community Edition and the ability to book a call with an Application Security Consultant directly from a customer’s IDE or platform interface.
Conclusion
Today is a landmark day for the technological future of humanity. Here at Veracode we always say, “Security is job number one.” The National Cybersecurity Strategy is a critical initiative that seeks to safeguard our digital infrastructure and ensure we are well-prepared to face the growing cyber threats of our time. As individuals and organizations in both the private and public sectors increasingly rely on technology to carry out their daily operations, we are in full support of the successful implementation of this strategy.