Source URL: https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/
Source: The Register
Title: CISA boss: Makers of insecure software are the real cyber villains
Feedly Summary: Write better code, urges Jen Easterly. And while you’re at it, give crime gangs horrible names like ‘Evil Ferret’
Software developers who ship buggy, insecure code are the real villains in the cyber crime story, according to Jen Easterly, boss of the US government’s Cybersecurity and Infrastructure Security Agency.…
AI Summary and Description: Yes
Summary: Jen Easterly, leader of the US Cybersecurity and Infrastructure Security Agency (CISA), emphasized the critical role of software developers in cybersecurity during her keynote address. She urged the industry to address software quality issues that lead to vulnerabilities and cybercrime, advocating for a shift in responsibility from victims to technology vendors. Easterly called for a collective industry effort to ensure software is secure by design.
Detailed Description: Jen Easterly’s keynote speech at the Mandiant mWise conference brought to light several major points regarding the state of cybersecurity and the critical challenges posed by software quality. Her insights resonate deeply within the domains of information security and software security, reflecting a demand for accountability in software development. The following are the crucial points made during her address:
– **Software Quality Issue**: Easterly argued that the persistent vulnerabilities in software are chiefly a quality issue rather than solely a security problem. This perspective suggests that improving the foundational quality of software could substantially mitigate cyber threats.
– **Accountability of Technology Vendors**:
– She criticized technology companies for creating insecure software products that facilitate cybercrime.
– The phrase “software vulnerabilities” was deemed too lenient; Easterly proposed calling them “product defects” to better reflect the responsibility of developers.
– **Growing Number of Pledged Compliance**:
– Nearly 200 vendors have signed CISA’s Secure by Design pledge. However, the voluntary nature of this commitment raises concerns about enforceability and genuine adherence.
– **Industry-Wide Call to Action**:
– Easterly encouraged organizations to leverage their purchasing power, pressuring vendors to prioritize security in their development life cycles.
– CISA has published guidance to assist organizations in evaluating software manufacturers on their security practices.
– **Urgency for Change**:
– Easterly indicated that the industry has room for improvement, urging vendors to prioritize secure coding practices and comprehensive pre-release testing of their products.
– **Procurement Power**: Businesses and organizations are encouraged to actively question suppliers about their commitment to security protocols, as a means to foster a safer software ecosystem.
Easterly’s speech highlights a paradigm shift necessary in the software industry, pushing for a proactive stance on security measures over reactive fixes. This can serve as a wake-up call for both software developers and organizations relying on technology, emphasizing that true cybersecurity needs to begin with the software development process itself. The implications of her message are significant for professionals in AI, cloud, and infrastructure, underscoring the necessity for secure software as a foundational element of any cybersecurity strategy.