![Beitragsbild zu National Cybersecurity Strategy & Commercial Software Security](https://www.all-about-security.de/wp-content/uploads/2023/03/important-g8e7ddf6a8_640.jpg)
A Bold Step Forward to Incentivize Software Providers to Build More Secure Solutions
One of the boldest proposals of the new National Cybersecurity Strategy by the Biden Administration is to “Shape Market Forces to Drive Security and Resiliency,”including an objective to develop new legislation that shifts liability from end-users onto the entities that produce insecure software products and services.
Since our research team at Onapsis has discovered and helped mitigate more than 1,000 zero-day vulnerabilities in business-critical application software over the last decade, we have a unique perspective on initiatives like this one. Understanding historical and the current state of cybersecurity in widely-used commercial software, our team can offer insight around the pros and cons of this strategic objective.
We know first-hand through our threat research experience that many leading enterprise software providers have made significant investments to enhance their secure development processes and capabilities in the last decade. This has resulted in the release of new solutions that are more secure by design, and have stronger security configurations by default. When performing advanced vulnerability analysis on these new products, we have empirically seen how many of the ‘low-hanging fruit’ vulnerabilities that were successful in prior versions have been controlled, or mitigated, in newer releases. This is a clear indication that many software providers are improving in the right direction.
However, the number of new vulnerabilities continuously discovered and exploited by threat actors cannot be ignored and it is a clear proof point that we are not any closer to solving this problem. Further, the data also supports the Administration’s claim that historical and current market forces have proven to be inefficient in changing this reality. It is often the case that realized financial losses from breaches and security flaws in products are immaterial for the software provider, but can be catastrophic and pervasive for the users of the vulnerable product or service.
As we think about ERP and business applications in particular, this challenge is drastically exacerbated because these software applications serve as the essential digital core for the world’s largest businesses and organizations in critical infrastructure sectors such as energy and utilities, manufacturing, and pharmaceutical, supporting their most critical processes and information. In these scenarios, the security of a software solution is not only relevant for users or organizations individually—given the specialized nature of these software products, there is a high degree of concentration in users relying on the same (or same few) commercial software products for mission-critical use cases.This has the potential to create systemic risk at the national and global level if malicious threat actors discover and exploit vulnerabilities in them.
In the perpetual cat-and-mouse game between defenders and threat actors, how do we– defenders–win? I agree with several experts that shared that it will be very challenging to ensure any legislation is adaptable enough to capture this dynamic holistically without stifling innovation. However, what is the alternative? The software and cybersecurity industry as a whole must acknowledge that commercial software security will not get better unless we radically change our approach and re-align incentives. Our industry has tried many things before, from consortiums, to researchers releasing unpatched zero-day vulnerabilities at conferences, to software vendors putting public pressure on each other to patch faster.
Unfortunately, these attempts have clearly not solved the root cause of the problem: higher stakes for companies to ensure their software is secure. Prior to this new strategy, there hasn’t been enough upside for most software producers to proactively invest and build capabilities at the required levels to solve this problem, and the downside of not doing so is immaterial to their bottom lines.
We depend too much on commercial software as a society to continue hoping that things will magically improve. As the old saying goes: hope is not a strategy.
Raising the bar and expectations of due care, while effectively rewarding and shielding from liability the vendors that are effectively doing so, is a welcomed step to discuss how we can re-align the incentives in the software ecosystem and build a more secure future for all of us. At Onapsis, we plan to continue being active participants in this strategy as it moves forward to implementation, making our contribution in creating that better future.
Source: Onapsis-Blog
Fachartikel
![Featured image for “Herausforderungen im Zuge von IT-Sicherheit: Ist MDR die Lösung?”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_95679652_S.jpg)
Herausforderungen im Zuge von IT-Sicherheit: Ist MDR die Lösung?
![Featured image for “IT-Sicherheit: Die vier typischsten Angriffsflächen von Unternehmen”](https://www.all-about-security.de/wp-content/uploads/2023/04/wood-g908abea64_640.jpg)
IT-Sicherheit: Die vier typischsten Angriffsflächen von Unternehmen
![Featured image for “CTEM: Ein moderner Ansatz für kontinuierliches Bedrohungsmanagement”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_77282656_S.jpg)
CTEM: Ein moderner Ansatz für kontinuierliches Bedrohungsmanagement
![Featured image for “Gefährdet: Wie Hacker die Zukunft der Software Defined Vehicles bedrohen”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_575283544_S.jpg)
Gefährdet: Wie Hacker die Zukunft der Software Defined Vehicles bedrohen
![Featured image for “Quantencomputer und Sicherheit: Wie Unternehmen langfristig geschützt bleiben”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_239228752_S.jpg)
Quantencomputer und Sicherheit: Wie Unternehmen langfristig geschützt bleiben
Studien
![Featured image for “Wissenschaftler der Universität Paderborn entwickeln App, die sicheres digitales Verhalten fördert”](https://www.all-about-security.de/wp-content/uploads/2024/10/app-68002_6401.jpg)
Wissenschaftler der Universität Paderborn entwickeln App, die sicheres digitales Verhalten fördert
![Featured image for “HP Wolf Security-Studie: Sicherheitslücken bedrohen Unternehmen in jeder Phase des Gerätelebenszyklus”](https://www.all-about-security.de/wp-content/uploads/2024/12/Depositphotos_10846788_S.jpg)
HP Wolf Security-Studie: Sicherheitslücken bedrohen Unternehmen in jeder Phase des Gerätelebenszyklus
![Featured image for “Neue Studie deckt Anstieg der SAP-Automatisierung bei zunehmender S/4HANA-Migration auf”](https://www.all-about-security.de/wp-content/uploads/2024/11/Depositphotos_525824074_S.jpg)
Neue Studie deckt Anstieg der SAP-Automatisierung bei zunehmender S/4HANA-Migration auf
![Featured image for “Studie belegt API-Sicherheitsvorfälle bei 84 Prozent der deutschen Sicherheitsexperten im vergangenen Jahr”](https://www.all-about-security.de/wp-content/uploads/2024/01/comics-151341_640.png)
Studie belegt API-Sicherheitsvorfälle bei 84 Prozent der deutschen Sicherheitsexperten im vergangenen Jahr
![Featured image for “Studie zeigt universelle Herausforderungen bei der Sicherung maschineller Identitäten”](https://www.all-about-security.de/wp-content/uploads/2024/11/Depositphotos_236045708_S.jpg)
Studie zeigt universelle Herausforderungen bei der Sicherung maschineller Identitäten
Whitepaper
![Featured image for “CISA und US-amerikanische und internationale Partner veröffentlichen Leitfaden zu vorrangigen Überlegungen bei der Produktauswahl für OT-Eigentümer und -Betreiber”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_312417314_S.jpg)
CISA und US-amerikanische und internationale Partner veröffentlichen Leitfaden zu vorrangigen Überlegungen bei der Produktauswahl für OT-Eigentümer und -Betreiber
![Featured image for “Report: Die meisten Cyberkriminellen brechen nicht ein, sondern loggen sich ein”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_86577086_S.jpg)
Report: Die meisten Cyberkriminellen brechen nicht ein, sondern loggen sich ein
![Featured image for “Die Lage der IT-Sicherheit in Deutschland 2024”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_92596982_S.jpg)
Die Lage der IT-Sicherheit in Deutschland 2024
![Featured image for “RUN – Konkretisierte Reifegrade für KRITIS-Prüfungen ab dem 1. April 2025”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_552819558_S.jpg)
RUN – Konkretisierte Reifegrade für KRITIS-Prüfungen ab dem 1. April 2025
![Featured image for “Phishing-Klicks haben sich im Jahr 2024 fast verdreifacht”](https://www.all-about-security.de/wp-content/uploads/2025/01/Depositphotos_318561506_S.jpg)
Phishing-Klicks haben sich im Jahr 2024 fast verdreifacht
Hamsterrad-Rebell
![Featured image for “Network Access Enforcement”](https://www.all-about-security.de/wp-content/uploads/2025/01/Watchguard_Titel_jiw.jpg)
Network Access Enforcement
![Featured image for “Maximale Sicherheit und Produktivität: Worauf es bei der Einführung von Microsoft Copilot ankommt”](https://www.all-about-security.de/wp-content/uploads/2025/01/Varonis_Titel_jiw.jpg)
Maximale Sicherheit und Produktivität: Worauf es bei der Einführung von Microsoft Copilot ankommt
![Featured image for “Vertrauen in große Anbieter: Realität oder Illusion”](https://www.all-about-security.de/wp-content/uploads/2024/12/Exeon_Dezember_titel_jiw.jpg)
Vertrauen in große Anbieter: Realität oder Illusion
![Featured image for “Wie lasse ich meine SAP Systeme in der Cloud laufen, damit die Kosten übersichtlich bleiben?”](https://www.all-about-security.de/wp-content/uploads/2024/12/Alina_Dezember_24_jiw.jpg)
Wie lasse ich meine SAP Systeme in der Cloud laufen, damit die Kosten übersichtlich bleiben?
![Featured image for “Wie kann man mit Pentera wie ein Angreifer denken?”](https://www.all-about-security.de/wp-content/uploads/2024/11/Pentera_Titel_Nov_jiw.jpg)