SOPlanning version 1.52.00 suffers from a cross site scripting vulnerability in groupe_save.php.

Exploit Title: SOPlanning v1.52.00 'groupe_save.php' XSS (Reflected XSS)Application: SOPlanningVersion: 1.52.00Date: 4/22/24Exploit Author: Joseph McPeters (Liquidsky)Vendor Homepage: https://www.soplanning.org/en/Software Link: https://sourceforge.net/projects/soplanning/Tested on: LinuxCVE: Not yet assignedDescription: SOPlanning v1.52.00 is vulnerable to XSS via the 'groupe_id' parameters a remote unautheticated attacker can hijack the admin account or other users. The remote attacker can hijack a users session or credentials and perform a takeover of the entire platform.Example Payload:"><script>alert('LiQUiDSKY')</script><!--Reflected XSS: /soplanning/www/process/groupe_save.php?saved=1&groupe_id="><script>alert('LiQUiDSKY')</script><!--&nom=Project+NewAnalysis: The landing page takes into consideration the user input then redirects to a page where the XSS is shown the payload included in the exploit, escapes the variable where it is held, and comments out the rest to perform a valid reflected XSS attack against any authenticated user the payload was sent to.

SOPlanning 1.52.00 Cross Site Scripting

Red Hat Security Advisory 2024-2068-03 - Red Hat OpenShift Container Platform release 4.15.11 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2068.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.11 bug fix and security update  
Advisory ID:        RHSA-2024:2068-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2068  
Issue date:         2024-05-02  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.11 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.11. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:2071

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* ironic-image: Unauthenticated local access to Ironic API (CVE-2024-31463)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2275847  
https://issues.redhat.com/browse/OCPBUGS-22926  
https://issues.redhat.com/browse/OCPBUGS-27948  
https://issues.redhat.com/browse/OCPBUGS-29092  
https://issues.redhat.com/browse/OCPBUGS-30970  
https://issues.redhat.com/browse/OCPBUGS-31045  
https://issues.redhat.com/browse/OCPBUGS-31324  
https://issues.redhat.com/browse/OCPBUGS-31641  
https://issues.redhat.com/browse/OCPBUGS-31686  
https://issues.redhat.com/browse/OCPBUGS-31802  
https://issues.redhat.com/browse/OCPBUGS-31806  
https://issues.redhat.com/browse/OCPBUGS-31811  
https://issues.redhat.com/browse/OCPBUGS-31820  
https://issues.redhat.com/browse/OCPBUGS-31830  
https://issues.redhat.com/browse/OCPBUGS-31839  
https://issues.redhat.com/browse/OCPBUGS-31842  
https://issues.redhat.com/browse/OCPBUGS-31924  
https://issues.redhat.com/browse/OCPBUGS-32024  
https://issues.redhat.com/browse/OCPBUGS-32093  
https://issues.redhat.com/browse/OCPBUGS-32097  
https://issues.redhat.com/browse/OCPBUGS-32114  
https://issues.redhat.com/browse/OCPBUGS-32164  
https://issues.redhat.com/browse/OCPBUGS-32173  
https://issues.redhat.com/browse/OCPBUGS-32191  
https://issues.redhat.com/browse/OCPBUGS-32246  
https://issues.redhat.com/browse/OCPBUGS-32299  
https://issues.redhat.com/browse/OCPBUGS-32311  
https://issues.redhat.com/browse/OCPBUGS-32340  
https://issues.redhat.com/browse/OCPBUGS-32355  
https://issues.redhat.com/browse/OCPBUGS-32357  
https://issues.redhat.com/browse/OCPBUGS-32396  
https://issues.redhat.com/browse/OCPBUGS-32399  
https://issues.redhat.com/browse/OCPBUGS-32414  
https://issues.redhat.com/browse/OCPBUGS-32435  
https://issues.redhat.com/browse/OCPBUGS-32498  
https://issues.redhat.com/browse/OCPBUGS-32518

Red Hat Security Advisory 2024-2068-03

If CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately.

Source: Tenebroso via Alamy Stock Photo

COMMENTARY

In a recent open letter, high-profile names from across the business, academic, and scientific worlds called for governments to intensify their regulation of deepfakes.

While their aims are admirable, their efforts are misplaced — it's innovation, not regulation, that will shore up our defenses against the deepfake threat. 

The letter, titled "Disrupting the Deepfake Supply Chain," was signed by prominent thinkers, including Stephen Pinker, computer scientist Joy Buolamwini, US politician Andrew Yang, and the "godfather" of AI, Yoshua Bengio.

Specifically, the letter called for increased criminalization of deepfakes, the establishment of specific criminal penalties, and liability for software developers and distributors for the use of their products in deepfakes. 

The letter correctly identifies the symptoms. Deepfakes are proliferating at a rapid rate — more than 900% annually, according to The World Economic Forum. This is ratcheting up the threat level across society.

Deepfakes are already an established weapon in the hacker arsenal. One finance worker recently paid $25 million to malicious actors after they used a deepfake of the employee's CFO in a video conference call. This should serve as a warning shot across the bow for the corporate world, and the open letter is correct to raise the alarm about the relative lack of action.

However, delegating responsibility to governments will only leave corporations more exposed. CEOs cannot afford to sit back and rely on regulators to stem the flow of deepfakes. They must take action and build their own defenses as soon as possible — and they are already starting from behind. Catching up will mean doubling their investment in innovative technologies that can counteract deepfakes.

**Stone Age Policies**

But why aren't governments up to the task themselves?

Most governments' cybersecurity departments and policies are in the Stone Age compared with these hackers. By the time legislation is drawn up, debated, and rolled out, it's often already antiquated and behind the pace of technological development. 

Furthermore, relying on reactive regulation in one government also means trusting all governments to do the same. No matter how punitive the legislation in one country, hackers in another country won't worry about the penalties, so nations will have to work together to negate the threat of deepfakes. But right now, hoping the Chinese or Russian states will prevent hackers from disrupting business in the West is nothing short of naive. 

CEOs and senior management must step up to the challenge and take responsibility for ensuring that they aren't the next victim of a deepfake scam.

Fortunately, management has several technologies available that can be rolled out to shore up their deepfake defenses, including advanced authentication, detection AI, and content watermarking. 

CEOs can integrate enhanced authentication standards to insulate their firms from deepfake scams. Two-factor or multifactor authentication systems require users to provide additional verification beyond a password, adding information that deepfake scammers will need to access sensitive information.

**Fighting Deepfakes With AI**

Management must also deploy AI in the fight against deepfakes. AI tools can analyze media files for anomalies and inconsistencies that are evidence of tampering. They can also analyze the subjects of these files, such as facial expressions and vocal patterns, and then flag non-natural inconsistencies that the human eye may miss. They can even compare deepfakes against genuine employee biometric data to identify fake representations of company employees.

Another option available to corporations is content watermarking, which embeds invisible, unique identifiers into official company media files. This can be used to verify the authenticity and origin of media content that employees come into contact with. 

These are just some of the many digital tools that management can use to insulate themselves from deepfake scammers and hackers. But they come at a cost.

Currently, cybersecurity funding lags far behind the scale of the threat that deepfakes pose. As with the finance worker above, company funds are at risk. Deepfake scams could also be used to access sensitive IP and trade secrets. Deepfakes of employees can also damage a firm's reputation, harming investor and consumer confidence. 

Even in the face of these ominous threats, firms continue to woefully underfund cybersecurity. The recent Cisco Cybersecurity Readiness Index highlights how only 3% of organizations have the "mature" level of readiness needed to be resilient against cyber threats. 

So, if CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately. Relying on the government to do this for them only increases their exposure to the risk that deepfakes pose. With healthier financing, corporations can roll out authentication tools, AI identification systems, and content watermarking to properly insulate themselves from the deepfake threat. 

**About the Author(s)**

Founder & CEO, artius.iD

Michael Marcotte is one of the world’s pre-eminent experts in digital identity, cybersecurity, and business intelligence technology. He joined EchoStar, the multibillion-dollar satellite communications firm, in 2006, and was Global CIO, Global CDO, and president (Hughes Cloud Services). He was one of the very first people to serve as chief digital officer of a major international corporation. Michael left EchoStar in 2014 and currently is the founder and CEO of digital authentication firm artius.iD. He has applied his expertise at a range of firms in technology, cybersecurity, and venture capital. He is also co-founder of the National Cybersecurity Center (NCC) and was founder and chairman of the NCC's Rapid Response Center Board. He has been a senior adviser for several heads of state and US senators.

Innovation, Not Regulation, Will Protect Corporations From Deepfakes

The AI security startup's platform will allow organizations to define appropriate AI usage and enforce security policies.

Source: Ole CNX via Shutterstock

The past two years have seen unprecedented interest in generative artificial intelligence (AI), with companies across all industries integrating capabilities into their products and services. Organizations are adopting these tools to work faster and more efficiently. However, these AI applications also pose security challenges for organizations, with heightened risks of leaks of customer data and intellectual property. They also expand organizations' attack surface, potentially exposing them to malicious data injection and other AI-driven attacks.

This evolving threat landscape sets the stage for Apex, an AI security company that came out of stealth yesterday. Apex's security platform provides organizations with visibility of their AI activities. Organizations can define what AI usage should look like within their environments and enforce security policies accordingly. The platform can detect violations to company policies, as well as detect and respond to attacks, the company said.

The platform also includes a secure portal through which users can interact securely with the organization's AI tools. Apex works with public generative AI tools such as ChatGPT and Gemini, copilots such as the one from Microsoft, and the organization's own custom AI applications.

Founded in 2023, Apex currently has a few trials with Fortune 500 companies, the company told Reuters. Apex's co-founders are Matan Derman (CEO) and Tomer Avni (CPO).

As part of the launch, Apex raised $7 million in seed funding from Sequoia Capital, Index Ventures, and angel investors, including Sam Altman, CEO of OpenAI. The company plans to use seed funding for product development, grow its team, and go-to-market activities.

**About the Author(s)**

New AI Security Startup Apex Secures AI Models, Apps

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years.
"Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords," Heather Adkins, vice president of security engineering at Google, said.

Google Announces Passkeys Adopted by Over 400 Million Accounts

HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems.
Of the 10 security defects, four are rated critical in severity -

CVE-2024-26304 (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via

Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks

The startup says its SaaS platform helps organizations detect and recover from ransomware attacks faster than "traditional" methods.

Source: Ihor Sveitukha via Alamy Stock Photo

The number of ransomware and associated extortion attacks is growing, with reports nearly every day about damage inflicted on organizations. These attacks disrupt business operations and result in significant downtime. In some cases, data is stolen. Educational institutions, retail and healthcare entities, and critical infrastructure organizations have all been targeted over the past few months.

Mimic, which came out of stealth today, is a ransomware defense company that offers a way for organizations to detect, deflect, and recover from ransomware attacks. The company says its software-as-a-service platform is capable of restoring an organization's environment and data back to an uninfected state within 24 hours without needing to pay a ransom.

Details about the technology are sparse, but the company has the support of several well-known names, including Ted Schlein, general partner at Ballistic Ventures, who joined the board of directors; and Marie Mouchet, former CIO of Colonial Pipeline, who joined the advisory board.

Mimic's platform works "in concert" with a customer's existing security controls, said Mimic CEO Derek Smith in a statement. Smith was formerly CEO of Shape Security, a Web and mobile application security company that was acquired by F5 in 2019 for $1 billion. 

As part of the launch, Mimic raised $27 million in seed funding from Ballistic Ventures, Menlo Ventures, Team8, Wing Venture Capital, and Shield Capital. The company said Apex Group, a financial services provider, is currently using the platform.

**About the Author(s)**

Mimic Launches With New Ransomware Defense Platform

Microsoft has uncovered a common vulnerability pattern in several apps allowing code execution; at least four of the apps have more than 500 million installations each; and one, Xiaomi's File Manager, has at least 1 billion installations.

Source: rafapress via Shutterstock

Researchers from Microsoft recently discovered many Android applications — including at least four with more than 500 million installations each — to be vulnerable to remote-code execution attacks, token theft, and other issues because of a common security weakness.

Microsoft informed Google's Android security research team of the problem and Google has published new guidance for Android app developers on how to recognize and remediate the issue.

**Billions of Installations at Risk of Compromise**

Microsoft has also shared its findings with vendors of affected Android apps on Google's Play store. Among them were Xiaomi Inc.'s File Manager product, which has more than 1 billion installations, and WPS Office with some 500 million downloads.

Microsoft said vendors of both products have already fixed the issue. But it believes there are more apps out there that are fallible to exploit and compromise because of the same security weakness. "We anticipate that the vulnerability pattern could be found in other applications," Microsoft's threat intelligence team said, in a blog post this week. "We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases."

The issue that Microsoft discovered affects Android applications that share files with other applications. To facilitate the sharing in a secure manner, Android implements a so-called "content provider" feature that basically acts as an interface for managing and exposing an app's data to other installed applications on a device, Microsoft said. An app that needs to share its files — or a file provider in Android speak — declares the specific paths that other apps can use to get to the data. File providers also include an identifying feature that other apps can use as an address to find them on a system.

**Blind Trust & Lack of Content Validation**

"This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control," Microsoft said. However, in many cases when an Android app receives a file from another app, it does not validate the content. "Most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application's internal data directory."

This gives attackers an opening to create a rogue app that can send a file with a malicious filename directly to a receiving app — or file share target — without the user's knowledge or approval, Microsoft said. Typical file share targets include email clients, messaging apps, networking apps, browsers, and file editors. When a share target receives a malicious filename, it uses the filename to initialize the file and trigger a process that could end with the app getting compromised, Microsoft said.

The potential impact will vary depending on an Android application's implementation specifics. In some cases, an attacker could use a malicious app to overwrite a receiving app's settings and cause it to communicate with an attacker-controlled server, or get it to share the user's authentication tokens and other data. In other situations, a malicious application could overwrite malicious code into a receiving app's native library to enable arbitrary code execution. "Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences," Microsoft said.

Both Microsoft and Google have provided tips to developers on how to avoid the issue. End users, meanwhile, can mitigate the risk by ensuring their Android apps are up to date and by only installing apps from trusted sources.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Billions of Android Devices Open to 'Dirty Stream' Attack

Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean hackers are taking advantage of weak DMARC configurations to impersonate organizations in phishing attacks against individuals of strategic significance to the Kim Jong Un regime.

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is a security protocol for preventing email-based attacks. Unlike most security solutions, however, which potential victims implement for themselves, DMARC policies are set by email senders. In part for this reason, it can be easily overlooked.

On Thursday, the FBI and National Security Agency released a joint cybersecurity advisory detailing how the APT Kimsuky (aka APT 43, Thallium) is taking advantage. For some time now, it has been masquerading as organizations that have weak or nonexistent DMARC policies in convincing spear phishing emails.

"This is a highly effective new tool in the arsenal of one of the more prolific social engineering threat groups that Mandiant tracks," Gary Freas, Mandiant senior analyst with Google Cloud, said in an email. "Organizations in a variety of industries around the world are at risk of leaving themselves unnecessarily exposed. Proper DMARC configuration, in conjunction with proper management of SPF/DKIM, is low-hanging fruit to deliver high-impact prevention of phishing and spoofing of an organization."

**The Difference DMARC Makes**

Kimsuky's primary objective is to steal valuable intelligence — regarding geopolitical events, other nations' foreign policy strategies, and more — for the Kim regime. To do that, it aims cyberattacks at journalists, think tanks, government organizations, and the like.

To add legitimacy to these attacks, it often impersonates individuals from trusted organizations like these in highly targeted emails. Such emails are extra convincing when Kimsuky gains access to their puppet's legitimate account or domain (often through a separate spear phishing attack) to send emails on their behalf.

A Kimsuky phishing email sent from late 2023 to early 2024. Source: FBI/NSA

This is what DMARC is designed to prevent. It combines two authentication mechanisms: the Sender Policy Framework (SPF), which checks that a sender's IP address is authorized to send emails from their specified domain, and DomainKeys Identified Mail (DKIM), which uses public key cryptography for anti-tampering. Domain owners can set a DMARC record in their domain name system (DNS) settings to determine what happens should an email-en-route fail one of these checks: either block it (p=reject), treat it with suspicion (p=quarantine), or do nothing (p=none).

The FBI-NSA joint advisory suggests organizations favor p=reject or p=quarantine to prevent threat actors like Kimsuky from sending emails from their domains.

"DMARC hygiene is critical," says Jeremy Fuchs, Harmony Email analyst at Check Point. "It's a fantastic way to ensure that when someone gets an email from your company, it’s actually from your company. It can be a big project, though, to ensure p=reject state, especially when you have many domains. This is why reporting, monitoring, and consistent hygiene is key.

"DMARC is not a silver bullet, as hackers have plenty of ways to spoof, but it can be a good starting point."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn

Actual legislation is a long shot and a decade away, but policy experts are looking to jump-start the conversation around greater legal liability for insecure software products.

Source: Nick Lylak via Alamy Stock Photo

While legal legwork is already in progress to hold software vendors liable for delivering insecure products, actual laws and penalties are at least a decade away, says one policy expert who'll be speaking at next week's RSA Conference.

Greater accountability for insecure software vendors has the support of the Biden White House. However, licensing and contract protections have shielded companies whose vulnerable products have cost customers millions, according to James Dempsey, senior policy adviser/technology and governance lecturer, Stanford Program on Geopolitics/UC Berkeley Law School.

Dempsey will moderate a detailed discussion of proposed legal frameworks for software liability at this year's RSA, giving vendors a glimpse at the liability landscape. He'll be joined by Nick Leiserson, assistant national cyber director, cyber policy and programs, Office of the National Cyber Director; Bruce Schneier, security technologist, researcher, and lecturer, Harvard Kennedy School; and Chinmayi Sharma, associate professor, Fordham Law School.

"Right now, almost all software developers have language in their licenses or other contracts or terms of service in which they disavow any liability for any flaws in their products," Dempsey explains.

He uses the example of the Microsoft license on his own laptop to illustrate.

"For example, the Microsoft license for the operating system on my laptop says: 'You may not under this limited warranty, under any other part of this agreement, or under any theory, recover any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages,'" Dempsey tells Dark Reading. "The damage exclusions and remedy limitations in this agreement apply even if Microsoft knew or should have known about the possibility of the damages."

That's how vendors have been evading legal liability for their customer's damages, and in some cases, collecting cyber insurance payouts instead.

Progress Software, whose vulnerable MOVEit file transfer software led to the breach of more than 600 organizations and the compromise of the personal information of more than 40 million people, has so far evaded liability for its customer losses. Instead, Progress filed an 8-K form with the Securities and Exchange Commission that outlined the company's intent to collect on its full $15 million cyber-insurance policy coverage.

While there is a class-action consumer rights litigation against Progress Software for negligence and breach of contract, there are no legal protections for its customers, which in other industries could be enforced under an agreed upon legal "standard of care," according to a recent paper, "Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor," published by Dempsey in Lawfare. The paper outlines Dempsey's theory for the right path toward holding vendors legally liable for the cybersecurity of their products.

Okta is another software vendor that has exposed its customers to cyberattacks — and losses. September cyberattacks against Caesars Entertainment and MGM Resorts used Okta as an initial attack vector. Losses related to the cyberattacks at the hospitality giants racked up hundreds of millions in costs; both in lost earnings, as well as ransomware payouts.

By the end of 2023 Okta confirmed that an unauthorized user was able to gain access to data on 100% of its customers.

**Why Strong Software Developer Liability Protections Also Matter**

Holding developers liable for knowingly producing insecure tools requires carefully considered guidelines for what is a reasonable level of cybersecurity to expect from a software vendor in order to determine egregious outliers, Dempsey explained.

"Because there is general agreement that the manufacturers of software should not be made insurers of their products but rather should be liable only when a product is unreasonably secure, getting software liability right turns a lot on defining a standard of care," Dempsey's Lawfare article read.

This standard would include defects analysis already widely used in products liability law, the article added.

Dempsey also advocates a software developer "safe harbor" for hard-to-detect flaws. "For that, I would turn to a set of robust coding practices," Dempsey wrote.

Dempsey tells Dark Reading the Biden Administration realizes legislation will be necessary to achieve its goal of holding insecure software developers liable, which he adds they also understand is a long shot: "They see this as a 10-year issue."

Dempsey will moderate a detailed discussion of proposed legal framework for software liability on Monday, May 6, during RSA in San Francisco at 8:30 a.m. PT, giving vendors a glimpse at the liability landscape to come.

Tag

#auth