A provision in the House-passed NDAA for next year would require developers who sell software to the Department of Defense to certify that is “free from all known vulnerabilities,” a superficially simple measure which has instead become the subject of debate among cybersecurity experts. On one hand, proponents—including the Biden Administration—argue that the users of software unfairly shoulder the burden of maintaining cybersecurity. Deputy national security advisor Anne Neuberger compared this proposed requirement to rules governing the automotive industry, where manufacturers retain ownership and responsibility for flaws throughout the life of a vehicle. Critics argue that it’s impossible to certify this genuinely. Dan Lorenc, a former Google software engineer and CEO of Chainguard, wrote that “this idea is just misguided at best and an impending s***show at worst.”
Source:
