https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), has urged software developers to prioritize security in their products. In a keynote address at the mWISE conference, Easterly criticized the industry for producing buggy and insecure code that enables cybercriminals to exploit vulnerabilities and attack victims.
Easterly argued that technology vendors are responsible for creating the conditions that allow for cyberattacks. She called for an end to the “glamorization” of crime gangs with fancy names, suggesting instead that they be referred to as “Scrawny Nuisance” or “Evil Ferret.” Easterly also criticized the term “software vulnerabilities,” saying it diffuses responsibility and that they should be called “product defects.”
The CISA director emphasized the need for more secure products, stating that the current focus on cybersecurity is misguided. She argued that the industry needs to address the underlying software quality issues that contribute to the global cybercrime problem. Easterly compared the situation to buying a car or boarding an airplane without knowing its safety record, saying that we do this every day with the software that underpins our critical infrastructure.
To address the issue, Easterly called for organizations to use their purchasing power to pressure software vendors to prioritize security. She suggested that buyers ask suppliers if they have signed CISA’s Secure by Design pledge, which commits vendors to seven secure-software goals. Easterly also highlighted the importance of using CISA’s Secure Demand Guide, which provides guidance for organizations buying software and questions they should ask manufacturers to better understand their security practices.
By demanding more secure software, Easterly believes that organizations can help create a safer digital environment and reduce the risk of cyberattacks.