拟立法禁止采购有漏洞软件，“引爆”网络安全行业

资料引用：

Truth about that ban on US govt from buying insecure apps • The Register

1、The register 8月19日 news

2、《安全内参》8月22日消息

SEC. 6722. DHS SOFTWARE SUPPLY CHAIN RISK MANAGE-MENT

关于软件供应链风险管理条款

(1) A certification that each item listed on the

submitted bill of materials is free from all known

vulnerabilities or defects affecting the security of the

end product or service identified in—

要求“ 提交软件物料清单中列出的所有项目，均不存在影响最终产品或服务安全性的已知漏洞或缺陷，并给出证明。”

(A) the National Institute of Standards

and Technology National Vulnerability Data-

base; and

(B) any database designated by the Under

Secretary, in coordination with the Director of

the Cybersecurity and Infrastructure Security

Agency, that tracks security vulnerabilities and

defects in open source or third-party developed

software.

已知漏洞或缺陷，是指国家标准与技术研究院（NIST）发布的国家漏洞数据库，以及网络安全与基础设施安全局（CISA）指定的用于“跟踪各开源或第三方开发软件内安全漏洞/缺陷”的数据库内列出的条目。

(2) A notification of each vulnerability or defect

affecting the security of the end product or service,

if identified, through—

(A) the certification of such submitted bill

of materials required under paragraph (1); or

(B) any other manner of identification.

(3) A notification relating to the plan to miti-

gate, repair, or resolve each security vulnerability or

defect listed in the notification required under para-

graph (2).

如果合同内包含“ 关于所列出各项安全漏洞或缺陷的缓解、修复或解决方法”，政府一方就可购买包含已知缺陷的软件。

chapter 1 ：

安全内参8月22日消息，美国立法者希望立法改善政府的部分网络安全防御措施，但却引发了信息安全专家们的质疑和不满。《2023财年国防授权法案》，对应着划拨给美国军队和政府各关键领域的数十亿美元财政预算。目前法案已经在众议院通过，接下来需要经参议院批准，最后由拜登总统签字执行。

今天要讨论的争议，集中在该法案草案看似合理的条款：管理国土安全部及其应用程序/在线服务供应链的软件级攻击风险。这份拟议法案要求，对于新签和现有政府合同，软件供应商应保证“提交软件物料清单中列出的所有项目，均不存在影响最终产品或服务安全性的已知漏洞或缺陷，并给出证明。”

所谓“已知漏洞或缺陷”，是指美国国家标准与技术研究院（NIST）发布的国家漏洞数据库，以及网络安全与基础设施安全局（CISA）指定的用于“跟踪各开源或第三方开发软件内安全漏洞/缺陷”的数据库内列出的条目。

换句话说：国土安全部不得采购任何包含已知、已登记安全漏洞的软件。

这项要求的出发点是好的，旨在防止恶意黑客利用Log4j之类的漏洞破坏政府敏感系统。但法案中的具体措辞却令行业专家颇感沮丧。一方面，任何代码都存在bug，这一条款基本上切断了政府军工部门原本强大的采购流程。另一方面，漏洞数据库中相当一部分漏洞并不属于安全风险。

总而言之，如果严格执行该项法案，那么美国政府后续将无法部署任何软件/服务。软件供应链安全厂商Chainguard的联合创始人兼CEO Dan Lorenc表示，“这项要求往好了说是受到误导，往坏了想肯定会引发大麻烦。”不过，这项要求也有回旋空间。如果合同内包含“关于所列出各项安全漏洞或缺陷的缓解、修复或解决方法”，政府一方就可购买包含已知缺陷的软件。换句话说，只要可以缓解或修复措施，就不会影响各部门的正常采购。

争议过大引发行业热议

这个问题在推特上掀起了争论热潮。有人担心软件供应商为了正常向政府客户出售软件，故意对漏洞信息知情不报（不再注册CVE编号）。另一方面，各家企业在争夺合同的过程中，也可能会挖其他竞争者产品的漏洞作为“黑料”。

安全厂商Rapid7的高级政策主管Harley Lorenz Geiger律师在推文中提到，“立法者起草的条文相当于在说：要么放弃继续上报软件漏洞，要么被排除在软件投标范围之外，你们自己选。”“这里我要提醒一句，并不是所有安全漏洞都有严重危害，或者能够/应该缓解。感谢立法者，祝好。”

漏洞协调与众测厂商Luta Security的CEO Katie Moussouris等行业专家，则呼吁安全专家们先别反应过激。她在Twitter上写道，新法案其实允许政府官员“采购那些虽包含CVE，但已有缓解方法的软件产品”，同时提醒政府方面“在部署之前必须缓解或接受这些风险”。

市场研究公司Dell'Oro Group负责网络安全的研究主管Mauricio Sanchez也在采访中提到，虽然他理解立法者们的善意动机，但在技术采购方面设置的种种要求，很可能会阻断政府的正常部署流程。他提到，“很遗憾，这就是我们立法者的典型做法，只提要求、不讲方法。”

在Sanchez看来，这项法案的最终走向恐怕只有以下三种。

第一：立法者服软。技术游说部门等各方提出有力的反对意见，宣扬这项要求根本就无法实现（也确实无法实现），于是立法者选择删除这部分条文。

第二：做出澄清。立法者对条文“做出修正”，把这项过于理想的要求修改得更加实际。

最后：直接摆烂。立法者可能懒得费脑筋，强行出台这项新政，然后向选民们宣扬自己支持网络安全、改善美国风险水平的姿态。至于收拾这个烂摊子需要投入多少时间、精力和金钱，那就是各联邦机构和法院自己的问题了。而且Sanchez本人的看法比较悲观。“如果让我押个宝，那我赌立法者会选择最后这条。”

chapter 2：

An attempt by lawmakers to improve parts of the US government's cybersecurity defenses has raised questions – and hackles – among infosec professionals.

The National Defense Authorization Act for Fiscal Year 2023 – which, if passed, provides billions in funding for the American military and other critical areas of the government – has gone through the House of Reps and requires Senate approval before president Joe Biden can green light it.

This draft law contains a seemingly well-intentioned section on managing the risk of software-level attacks on the Department of Homeland Security and its supply chain of applications and online services.

With respect to new and existing government contracts, the proposed act requires a software vendor to provide: "A certification that each item listed on the submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service."

This includes vulnerabilities listed in NIST's National Vulnerability Database or any other CISA-designated database "that tracks security vulnerabilities and defects in open source or third-party developed software."

In other words: Homeland Security can't buy software with any known, registered security flaws.

While this is likely intended to prevent the exploitation of things like Log4j bugs by miscreants to compromise sensitive government systems, the act's language at first glance is frustrating for some. For one thing, all code has bugs – so blocking purchases on that basis would halt the government's procurement system in its mighty military-industrial tracks. Then there's the issue of some bugs that aren't actually a security risk being wrongly logged in vulnerability databases.

By a strict reading of this act, nothing would ever get deployed.

"This idea is just misguided at best and an impending sh*tshow at worst," argued Chainguard co-founder and CEO Dan Lorenc.

Now the reality

However, there's a big caveat. Uncle Sam can buy known buggy software if the contract includes "a notification relating to the plan to mitigate, repair, or resolve each security vulnerability or defect listed in the notification." In other words, if a bug can be mitigated or is due to be fixed, it's not a showstopper.

Still, the language sparked an outcry in the Twitterverse as well as concerns that software vendors will stop reporting CVEs – or companies competing for contracts will run bug bounties on each other.

"Policymakers: please stop considering requirements to eliminate all software vulnerabilities, or bans on sale of software with any vulnerabilities," tweeted attorney Harley Lorenz Geiger, a senior policy director at Rapid7.

"Please understand that not all vulnerabilities are significant, or can or should be mitigated. Okay, thanks policymakers, good chat."

Others, such as Luta Security CEO Katie Moussouris, urged security pros to take a deep breath and relax. The act allows government officials "to buy software with known CVEs that are mitigated," she tweeted, adding that Uncle Sam "has to mitigate or accept the risk before deploying."

It's 2022 and there are still thousands of public systems using password-less VNC
Palo Alto bug used for DDoS attacks and there's no fix yet
Microsoft trumps Google for 2021-22 bug bounty payouts
Homeland Security warns: Expect Log4j risks for 'a decade or longer'

Mauricio Sanchez, a research director at Dell'Oro Group who covers network security, told The Register that while he believes the legislators are well-intentioned, the language may put officials in an impossible position when it comes to purchasing technology.

"Unfortunately, it's typical behavior of our legislators to issue mandates that describe the 'what' but not the 'how,'" he said.

Sanchez said he sees this law bill playing out one of three ways, with regards to Congressfolk.

One: "They cave," he said. "The technology lobbying arm or someone else raises a colossal stink that this is an untenable mandate (which it is), so legislators remove the wording."

The second option: "They clarify," which Sanchez noted involves lawmakers "doing the right thing" and making the mandate more practical as opposed to idealistic.

Finally, there's a third scenario. "They punt," Sanchez said. "They take the easy route, leave it in as is, and then claim to their constituency that they are pro-cybersecurity and improving US posture. This leaves federal agencies and courts to expend unnecessary time, energy, and money to clean and tighten up."

He's not too hopeful. "If I were a betting man," Sanchez added, "I'd place the bet on number three." ®

关于泛联新安

泛联新安是国内领先的基础软件提供商。以程序分析专家为核心能力定位，聚焦于提供业内先进的开发支撑软件和EDA软件。

在国内率先布局，持续深耕智能程序分析、编译器技术、软件逆向分析、软件漏洞挖掘、高性能程序仿真等底层核心技术方向，研发出软件质量测试、软件安全测试、数字电路验证（EDA）三大类10余款产品，构建丰富的产品矩阵，形成了基于统一技术架构的高效产品孵化能力。所有产品全部拥有自主知识产权，并在军工、航空航天、轨道交通、金融、电力、互联网等领域积累了大量头部客户。

与清华大学合作成立北京清科智信科技有限公司，与中科院共同投资组建中科空间（长沙）信息科技研究院，与国防科技大学共建湖南省软件安全智能并行分析重点实验室，现拥有核心知识产权申请和授权发明专利、软件著作权69项，获得CWE、泰尔实验室、麒麟软件Neo Certify等多项国内外认证。

泛联新安致力于帮助企业快速构建安全、优质的软件，通过提供代码功能检测、已知漏洞比对、未知漏洞挖掘等多款检测产品，推动DevSecOps、AppSec、CI/CD战略、SBOM清单、风险评估及资产管理等软件安全理念在具体工程中的实践落地，引入从源头及时治理安全问题、洞察代码风险、为客户提供当前软件安全性活动的概况呈现及管理，助力企业更高效落地，推动产业数字化转型，提升高质量发展速度。

拟立法禁止采购有漏洞软件，“引爆”网络安全行业相关推荐

我国拟立法禁止大数据杀熟；工信部通报43款App违规整改不彻底丨钛晚报
关注ITValue,看企业级最新鲜.最价值报道! 图片来源天堂图片网 8月 18日百度发布无人车出行服务平台"萝卜快跑",三年内将覆盖30个城市:中国恒大美元债券继续走低:LG ...
新荣耀员工现金补偿最高可拿 N+5；天津立法禁止采集人脸识别信息；IntelliJ IDEA 新版发布|极客头条...
整理 | 郑丽媛头图 | CSDN 下载自东方 IC 快来收听极客头条音频版吧,智能播报由出门问问「魔音工坊」提供技术支持. 「极客头条」-- 技术人员的新闻圈! CSDN 的读者朋友们早上好哇,「 ...
iPhone卫星功能仅用于紧急通信；韩国通过立法禁止苹果、谷歌垄断支付系统；Linux 5.14 版本发布|极客头条
一分钟速览新闻点! 小米集团加入开源专利社区 OIN 饿了么:延长扬州会员一个月的权益阿里云教育推出钉钉课后服务系统华为 P50 Pro 推送鸿蒙更新淘宝更换新的 Slogan 为"淘 ...
【每日新闻】9家虚拟运营商与中国移动签约首批牌照有望近期下发 | 澳大利亚正考虑禁止采购华为5G设备...
点击关注中国软件网最新鲜的企业级干货聚集地趋势洞察坚持是种信念,努力是种精神! 2018中国软件生态大会趋势洞察工信部王卫明:人工智能正在成为推进供给侧结构性改革的新动能工业和信息化部科技 ...
系统策略禁止安装python_Win10系统如何禁止自动安装捆绑软件？
Win10为了帮助用户可以更好的办公,内设了许多功能,而这些功能会在系统安装后于后台静默安装.对于一些喜欢纯净系统的用户而言,这些软件没有一点作用,如果一一卸载十分繁琐.那么要如何禁止win10系统自 ...
「企企通」完成Pre-D轮融资，加速采购供应链工业软件和 SaaS 网络生态构建
企企通作为领先的采购供应链工业软件和SaaS生态平台,在一年内再次宣布获得Pre-D轮融资,全年合计融资额达数亿元人民币,目前还有意向投资机构在进行,并开始启动IPO的筹备工作.本轮投资由华映资本独家 ...
计算机如何安装程序,怎么禁止电脑安装任何软件？禁止计算机安装程序的方法(图文)...
经常上网的人都会遇到这样的问题:电脑被莫名其妙安装了一堆软件,大多数不是自己安装的,而且也常常没用,却会导致电脑运行速度越来越慢.为此,我们需要禁止电脑随意安装软件,并且禁止这些软件随电脑开机自动启动 ...
windows10 设置禁止电脑自动安装软件，安装软件时会有提示
禁止电脑自动安装软件的方法: 1.打开本地组策略编辑器,找到windows设置: 2.依次打开安全设置.本地策略.安全选项: 3.在本地安全设置中,设置[同意提示]即可. 本文操作环境:windows ...
只需三步，轻松禁止电脑打开指定软件或游戏
很多家长朋友想要禁止家里的电脑上运行指定程序,防止孩子上网课间隙总是偷偷玩电脑游戏,却又不知从何下手.今天小编教大家一个简单快捷的方法~禁止打开指定的软件或游戏!!! 那么在进行操作之前我们首先需要知 ...
全球及中国梦幻体育软件和平台行业十四五规模展望及应用价值分析报告2021-2027年
全球及中国梦幻体育软件和平台行业十四五规模展望及应用价值分析报告2021-2027年目录 2020年,全球梦幻体育软件和平台市场规模达到了百万美元,预计2027年将达到百万美元,年复合增长率(C ...

拟立法禁止采购有漏洞软件，“引爆”网络安全行业

Now the reality

拟立法禁止采购有漏洞软件，“引爆”网络安全行业相关推荐

最新文章

热门文章