zlacker

[return to "Open source liability is coming"]
1. Mounta+0a[view] [source] 2023-12-29 18:54:33
>>daniel+(OP)
Hopefully this will change attitudes in application security. Developers often try to ignore vulnerabilities found in the libraries they used, coming from the POV of "well, that's not my code so it's not my fault" instead of "we chose that library so we're responsible for any vulnerabilities it creates for the company". If you're going to use FOSS and don't do anything to correct or mitigate the vulnerabilities in the part you choose to use, then it's your vulnerability. But they only see it from a POV of feeling blamed for something they didn't do as it's not their code and ignore the bigger picture of attackers not caring the slightest who introduced a vulnerability for them to exploit, they're just happy that it exists.
◧◩
2. jahav+411[view] [source] 2023-12-30 01:24:57
>>Mounta+0a
That is already part of CRA:

> It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties.

> Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component.

EDIT: Also, I concur the poster below. It's developers who oppose against management to allocate time for bugs and technical debt instead of new features.

[go to top]