Software Security Imperative: Forging a Unified Standard of Care
The relentless pace of software development is on a collision course with an ever-escalating wave of sophisticated cyberthreats. The numbers are staggering; data breaches now cost an average of $9.3 million per incident in the United States. And, for the second consecutive year, supply chain compromise tops the list of cybersecurity threats, with vulnerabilities serving as attack vectors increasing by 180% year-over-year.
The technology sector must evolve from “making do” with fragmented security practices to upholding a unified standard of care that protects both innovation and end users.
A troubling disconnect pervades our digital landscape: Open source software, the backbone of modern innovation, often lacks consistent, comprehensive security oversight across the industry. This gap between our reliance on software and our accountability for its security demands an urgent, systemic overhaul in the way we approach software liability and cybersecurity standards.
Security leaders across the technology industry must collaborate to establish and enforce a unified cybersecurity standard of care, embracing principles such as Secure by Design This isn’t just about new mandates; it’s about refining existing practices, such as software bill of materials (SBOM) requirements for open source software, to foster an industrywide commitment to digital safety.
Establishing Baseline Security Requirements
Every stakeholder in the technology ecosystem, from tech vendors and their customers to partners and the broader industry, shares an implicit understanding of the need to uphold reasonable cybersecurity standards. This responsibility extends to creating and maintaining a cybersecurity standard of care that establishes baseline security requirements across the tech industry.
Establishing these standards represents more than regulatory compliance; it’s an investment in the long-term viability of the technology industry. With software now deeply embedded in critical infrastructure, healthcare, finance and national security, the consequences of inadequate security extend far beyond any single organization.
The development of these standards must be a collaborative endeavor involving input from security experts, legal professionals, regulatory bodies and industry practitioners. Only through this collective effort can we create standards that are both technically robust and universally applicable across diverse organizational contexts.
Navigating Innovation and Liability to Protect Open Source
The debate surrounding liability in the open source ecosystem requires careful consideration. Imposing direct liability on individual open source maintainers could stifle the very innovation that drives the industry forward. It risks dismantling the vast ecosystem that countless developers rely upon.
Instead, the primary responsibility for the overall security of software products should rest with the technology companies that commercialize them. While open source software is a foundational component for technological advancement, it inherently requires rigorous additional security practices. Organizations integrating these components into their projects must exercise thorough due diligence and implement comprehensive security scanning.
By establishing and enforcing industry-wide security standards through legal and regulatory measures, we can work toward creating a safer digital environment for all without undermining the collaborative essence of open source development.
SBOMs: A Critical Business Necessity
GitLab research found that 67% of developers reported that a quarter or more of the code they work on is derived from open source libraries, yet only 21% of organizations are currently using SBOMs to document the components that comprise their software.
The software bill of materials (SBOM) is rapidly transitioning from a nascent concept to an undeniable business necessity. As regulatory pressures intensify, driven by a growing awareness of software supply chain risks, a robust SBOM strategy is becoming critical for organizational survival in the tech landscape. But the value of SBOMs extends far beyond a single software development project.
While often considered for open source software, an SBOM provides visibility across the entire software ecosystem. It illuminates components from third-party commercial software, helps manage data across merged projects and validates code from external contributors or subcontractors — any code integrated into a larger system.
By proactively generating and meticulously maintaining SBOMs, organizations don’t just secure their own software supply chains, they contribute to fortifying the resilience of the entire technology ecosystem.
Building a Secure Digital Future
The path to a secure digital future requires commitment from all stakeholders. Technology companies must adopt comprehensive security practices, regulators must craft thoughtful policies that encourage innovation while holding organizations accountable and the broader ecosystem must support the collaborative development of practical and effective standards.
Crucially, we must dispel the myth that security, speed and innovation are competing priorities. A balanced, integrated approach proves they are not. Instead, robust security measures can coexist with, and even enhance, rapid development cycles, cultivating a more resilient and inherently trustworthy technology ecosystem.
By taking collective action now to establish and enforce a cybersecurity standard of care, the technology industry can build a foundation of trust that supports continued innovation while protecting the digital infrastructure on which society increasingly depends. The future of software liability is about embracing shared responsibility for a more secure digital world.
