The Organization for Internet Safety -- which includes Internet Security Systems, Microsoft, Network Associates, Oracle and @Stake as members--has devised guidelines for security bug hunters to follow when a vulnerability is found. The group states, "OIS recognizes that the processes will only be adopted if they represent the consensus of the security community." Unfortunately, OIS forgot to invite the very large community of independent researchers to the party.
Some fear that OIS will use the guidelines to silence researchers and disclosure mailing lists. Researchers perceive a threat because these guidelines can be deemed a standard that vendors can use to sue researchers for their findings. But it isn't a big threat: At best, guidelines such as these are viewed as best practices and can't, by themselves, be used effectively in civil or criminal courts because they aren't standards or laws.
This seems like a CYA move. The rumblings that vendors should be held financially or criminally liable for security vulnerabilities are getting louder, and one way vendors can fend off legal action is to show that they have taken reasonable care to remove or fix vulnerabilities. If vendors adhere to a set of published guidelines, it lends support to their argument that they are doing what they can to fix problems.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
