Security News > 2023 > February > US cybersecurity chief: Software makers shouldn't lawyer their way out of security responsibilities

What's more dangerous than Chinese spy balloons? Unsafe software and other technology products, according to America's Cybersecurity and Infrastructure Agency Director Jen Easterly.

"Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services," Easterly said.

For comparison: Twitter reports fewer than three percent of its users turn on any type of MFA, while Microsoft puts the number at about 25 percent of its enterprise customers - and only about one-third of those companies' admin accounts use MFA, Easterly noted.

"Apple's impressive MFA numbers aren't due to random chance. By making MFA the default for user accounts, Apple is taking ownership for the security outcomes of their users," Easterly said, adding that even though Twitter and Microsoft's MFA percentages are "Disappointing," at least they publicly disclose this data.

Making software "Secure-by-design," and thus putting the liability on the vendors to sell safe products out of the box instead of pushing that responsibility on to consumers and businesses, is a drumbeat that CISA has been pounding under Easterly's leadership.

Using programming languages like Rust, Go, Python, and Java can eliminate memory-safe vulnerabilities, which currently compromise around two-thirds of all known software vulnerabilities, according to CISA. Memory safety bugs - such as out-of-bounds reads and writes or use after free() - also increase the cost of software development when not caught early.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/02/28/cisa_easterly_secure_software/