As we watch hackers compromise systems of both large and small companies in every country every day, it kind of points out the obvious – whatever security programs companies that develop software have in place are not adequate to the threat.
Up until now, software companies have not suffered because their license agreements say that you use their software at your own peril.
Microsoft alone releases, typically, one hundred patches every month – a thousand plus a year.
Oracle, which releases patches quarterly, typically releases 300-400 patches a quarter.
This is not to pick on these companies. Software is complex and a lot of it, contrary to the claims of the vendors, is very old.
Windows 11 is Microsoft’s new, bright, shiny toy. How much of the code in Windows 11 is new? Microsoft will never admit this because it is embarrassing, but the new code in Windows 11 probably represents, maybe, 10 percent of the Windows code. And that is generous. Even if this code is perfect – and it is not – what about the 90 percent that is old. Some of that code is 25+ years old.
As of March 2022, any company that sells software to the government (or sells software to companies that sell software to the government) must have a rigorous software security program in place. This includes traditional, on-premise commercial software, software that is provided as a service, and any open-source software components that are included in that software.
NIST published a secure software development framework (SSDF) earlier this year and it is certainly reasonable to say that any software security program that is not, at least, as rigorous as NIST’S SSDF probably won’t meet the requirement. You don’t have to do what NIST recommends, but it better be, demonstrably, as good as what NIST is recommending.
On top of this, the Office of Management and Budget is about to release attestation guidelines. This is the rope that the government will use to hang you. If your executives attest to the security of your software development program and they stretch the truth, so to speak, well, the results might not be pretty.
Also, consider this.
If I was a large commercial business, it would be smart of them to say that we will only do business/buy software or products from vendors who comply with NIST’s SSDF and can attest to that fact.
This means that even if you don’t sell software to the government it is likely this will affect you because your customers, in their RFPs and contracts, will require compliance as a matter of the contract, not a matter of law.
Credit: The White House