Sunday, July 4, 2021

Government is now mandating safer software

 


In the late 90's I was invited to attend an event sponsored by National Institute for Occupational Safety and Health (NIOSH).  It was about how software sucked and was unsafe.


I saw the handwriting on the wall that someday the Government would start regulating software, because industry wasn't (Management sees it as a waste of time and more importantly Their money).  I started my Software Safety site way back then and became a Certified Software Quality Engineer (CSQE from ASQ).  I expected someday there would be a need for people, such as myself, that could review software for correctness, especially in the Embedded System area.  It has taken far longer than I expect for the Government to start mandating safer software.  That day has arrived.


This is about TicTok.  However they make no distinction about 'connected software' from embedded devices such as Their '(d) end-point-device'.


https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/


"... In evaluating the risks of a connected software application, several factors should be considered.  Consistent with the criteria established in Executive Order 13873, and in addition to the criteria set forth in implementing regulations, potential indicators of risk relating to connected software applications include: ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities; use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data; ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary; ownership, control, or management of connected software applications by persons involved in malicious cyber activities; a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and the extent to which identified risks have been or can be addressed by independently verifiable measures. ...


(d) The Secretary of Commerce shall evaluate on a continuing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.  ...


Sec. 3.  Definitions.  For purposes of this order: (a) the term “connected software application” means software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the Internet; ..."



http://www.softwaresafety.net