Cyber experts weigh in on required software vulnerability certification

CyberScoop reports that cybersecurity experts are split on the software vulnerability provision in the recently passed National Defense Authorization Bill that would compel software vendors working with the military to sell software without known security flaws or defects. Such a provision is necessary to hold software providers more accountable for their offerings, according to Cyber Threat Alliance President Michael Daniel. "This change would be pretty significant because software developers have long borne no liability for vulnerabilities in their products," said Daniel, who served as senior cybersecurity adviser during the Obama administration. However, Chainguard CEO Dan Lorenc noted that the provision would be unreasonable as no software is free from vulnerabilities. "At first glance to someone outside the industry, it sounds perfectly fair to ban selling software with known vulnerabilities. Why would you sell something vulnerable? And why would someone buy it? Especially an organization responsible for national security. But to anyone who has spent time looking at CVE scan results, this idea is just misguided at best and an impending s***show at worst," wrote Lorenc.