Security News > 2022 > August > The truth about that draft law banning Uncle Sam buying insecure software

With respect to new and existing government contracts, the proposed act requires a software vendor to provide: "A certification that each item listed on the submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service."

Then there's the issue of some bugs that aren't actually a security risk being wrongly logged in vulnerability databases.

Uncle Sam can buy known buggy software if the contract includes "a notification relating to the plan to mitigate, repair, or resolve each security vulnerability or defect listed in the notification." In other words, if a bug can be mitigated or is due to be fixed, it's not a showstopper.

"Policymakers: please stop considering requirements to eliminate all software vulnerabilities, or bans on sale of software with any vulnerabilities," tweeted attorney Harley Lorenz Geiger, a senior policy director at Rapid7.

Others, such as Luta Security CEO Katie Moussouris, urged security pros to take a deep breath and relax.

Mauricio Sanchez, a research director at Dell'Oro Group who covers network security, told The Register that while he believes the legislators are well-intentioned, the language may put officials in an impossible position when it comes to purchasing technology.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/19/dod_spending_bill/