[Owasp-leaders] Raising Visibility Software Security

Tom Brennan - OWASP tomb at owasp.org
Wed Dec 10 04:31:34 UTC 2014


In the USA on Thursday, Rep Royce introduced a bill: H.R. 5793, the "Cyber
Supply Chain Management and Transparency Act of 2014.”

GAME CHANGER? This is directly inline with what so many of us have focused
on and inline with the mission of raising software security more here

The actual Bill:
http://www.gpo.gov/fdsys/pkg/BILLS-113hr5793ih/pdf/BILLS-113hr5793ih.pdf

TL;DR

1) Ingredients:

Anything (HW/SW/FW) sold to $PROCURING_ENTITY must provide a Bill of
Materials of 3rd Party and Open Source Components (along with their
Versions)

2) Hygiene & Avoidable Risk:

…and cannot use known vulnerable components for which a less vulnerable
component is available (without a written and compelling justification
accepted by $PROCURING_ENTITY)

3) Remediation:

…and must be patchable/updateable – as new vulnerabilities will inevitably
be revealed (within a reasonable timeframe).

---

This is an important step in the right direction that started in the
trenches and has gone up the tree...(there are many trees)

Continued awareness and pressure is requested -- do you know how a bill
becomes a law in the USA -- here is a little video to explain it <grin>

http://m.youtube.com/watch?v=Otbml6WIQPo


http://proactiverisk.blogspot.com/2014/12/cyber-supply-chain-management-and.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141209/0b066c6f/attachment.html>


More information about the OWASP-Leaders mailing list