Software development is currently unregulated, which has upsides and downsides. But there are indications that this may be about to change.
On Jan. 5 the Federal Trade Commission filed a lawsuit against Taiwanese-based computer networking equipment manufacturer D-Link Corp. and its U.S. subsidiary. The suit alleges that they “failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security (OWASP) project has ranked among the most critical and widespread web application vulnerabilities since at least 2007.”
The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database with sponsorship from the Department of Homeland Security (DHS). This database catalogs all publicly known software vulnerabilities and assesses the likely impact if the vulnerability were exploited by a hacker, and aids in automating, identifying and managing vulnerabilities for computing systems. According to this database, the number of software vulnerabilities publicly identified has increased since 2011. Unfortunately, businesses and consumers are usually burdened with the cost of addressing these software flaws and vulnerabilities through patching, upgrades and other protections to mitigate the security risks. What is frustrating is that many of the vulnerabilities and exploit techniques are well known, and could be addressed as the software is being developed.
By citing the OWASP project, which identifies technical vulnerabilities and solutions, the FTC highlights a long-established reference to software security best practices. These standards easily could be transitioned into new voluntary government security standards designed to protect consumers, similar to federal automobile safety standards. Compliance eventually could be required before software can be released to the public.
In fact, DHS has collaborated with Underwriters Laboratories to help develop testable cybersecurity criteria to assess software vulnerabilities, minimize exploitation and address known malware. Businesses that can assure their UL-tested software meets government-supported security standards will have competitive advantages with cybersecurity-conscious consumers.
Other signs that software security regulations could be an eventuality include former President Barack Obama’s executive order tasking NIST with developing a Cybersecurity Framework (CSF) to identify “standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.” The first version of the CSF was published in 2014.
According to a March 2016 survey by cybersecurity company Tenable Network Security, the heavily regulated banking industry had the highest CSF adoption rate, followed by information technology, government, health care and manufacturing industries.
On Dec. 28 the Food and Drug Administration issued its final guidance, emphasizing that medical device manufacturers should address cybersecurity vulnerabilities in their devices after release into the market. It encouraged medical device manufacturers to adopt CSF to address the cyber risks.
In the span of three years, cybersecurity risk management voluntary standards were issued by the government. They were adopted broadly by industries and are now being cited in regulatory guidance. For better or for worse, the government’s involvement in private industry cybersecurity is growing, and likely will affect those involved in the entire software technology life cycle, including developers.
Michael Miranda, director of information security at Hawaiian Telcom, holds current Global Information Assurance Certification (GIAC) and is a Systems and Network Auditor (GSNA), a Certified Intrusion Analyst (GCIA) and Certified Forensic Analyst (GCFA). Reach him at michael.miranda@hawaiiantel.com.
