Software liability: The hard truths of holding manufacturers responsible
May 30, 2023 – Published on SC Media
For years, companies have been victimized by hackers exploiting vulnerabilities left by software makers who prioritize development speed, convenience and interoperability over security, while disavowing culpability through licensing and terms-of-service contracts.
While companies such as SolarWinds have been sued by shareholders following a breach caused by software insecurity, the substance of that lawsuit and others focus on more general cybersecurity practices within an organization rather than the software development process, and like the SolarWinds case they tend to be settled outside of court before any legal precedents can be set.
The Biden administration has argued that opening up these companies to potential lawsuits tied to poorly developed software, while creating legal safe harbor for those who follow best practices, could incentivize the industry to coalesce around secure by design software development norms and reframe the national conversation away from blaming end users when a system is breached.
But software security experts and policymakers tell SC Media that a straightforward narrative around this issue can belie an exceedingly complex threat landscape, one where the multi-pronged nature of many cyberattacks, nuances around patching timelines and the widespread use of open-source software components in commercial software can make it difficult to craft clear legal language that would capture bad actors without also pulling in edge cases or well-intentioned firms doing their best in a challenging environment.
While software liability serves as the Biden administration’s stick, the carrot comes in the form of a regulatory safe harbor regime, whereby companies could proactively demonstrate that they’re following best practices around secure software development and gain immunity from such lawsuits.
But it’s not clear whether that process would be managed by the government or a third party, what kind of standards would be tied to immunity, who would audit or vet a company’s security posture and how long should products remain exempt. It may also be easier for larger or better-resourced organizations to pass any audit or regulatory process than smaller businesses.
Kristen Bell, director of application security at GuidePoint Security, said her company provides clients with remediation “guidance” around writing safer code, but they will not certify or endorse code changes because software and the threat landscape around it are constantly evolving, where a software program can be deemed safe today and still be a major cause of a breach tomorrow.
“How long do you guarantee [liability protection]? How do you account for zero day [exploits] and things that we haven’t yet discovered? That’s a legitimate concern, especially if there are any open-source components where we’re seeing zero days there all the time. It’s very difficult to put warranties around software because of these unknowns,” said Bell.
Read More HERE.