Microsoft has published a paper on Best Practices for a Secure Software Supply Chain. https://docs.microsoft.com/en-us/nuget/concepts/security-best-practices
You should not be surprised that it says Caveat Emptor. It is all about how the buyer of software must manage the risk of any corruption in the supply chain. It is silent on the supplier's, e.g., Microsoft, responsibility. It simply assumes that some supplier in your supply change will ship you corrupt code, essentially with no accountability.
The issue first gained notice when a supplier, SolarWinds, having failed to manage the content of its product, shipped malicious code to all of its customers. It's response, like that of Microsoft, was "Y'all be ca'ful, heah."
Suppliers must be held accountable for all the code that they ship. We have become so accustomed to poor quality code, and the huge cost of "patching" that comes with it, that this idea seems somehow foreign. However, this issue is about code content, not quality.
I do not propose to so reform the market that suppliers would be held accountable for implementation induced vulnerabilities in their code, for its suitability for its intended use, for its merchantabiity. I only want them to be held accountable for malicious code, whatever its source, that they ship. Managing the content of one's product, where it came from, may be related to, but simpler than that of ensuring that it is free of dangerous errors.
I recently asked a colleague, a famous attorney, partner in a prestigious Washington law firm, why he thought that SolarWinds had not been sued for its gross negligence? His answer was that the injured parties were enterprises, that they did not see themselves in the role of plaintiff.
So called "software engineers" must be held accountable to the same standards that we hold all other "engineers." Suppliers in the software supply chain must the held to the same standards as we hold other suppliers. Software should not be synonymous with dangerous.
Posts
