I don't have a problem with anodyne pledges not to commit well understood vulnerabilities... but if that's all that "secure by design" means, then this is just posturing. To me, the important discussion is around who should decide what "secure" means. Of the possible candidates, I think government is pretty close to last. IMO they should stick to forcing organization to be transparent and letting the market sort it out.
Arguably, this did sort of happen to security via the PCI DSS and the “chosen seven” technologies prescribed for any company handling payment data. It had a profound impact on IDS, WAF (which almost everyone chose instead of code reviews), SIEM, FIM, etc
In case anyone else isn't familiar with these acronyms, IDS = " Intrusion Detection System ", WAF = "web application firewall", SIEM = "Security Information and Event Management", FIM = "file integrity monitoring".
With all the power big tech wields in Washington as is, regulation will ABSOLUTELY be used to bar competitors from getting off the ground. I'm sure they'll also carve out some nice loopholes for themselves in the process. I guess all that "credit monitoring" in the aftermath of breaches is getting too expensive, so let's replace it with the "we're not gonna do a damn thing and you'll take it because we're all monopolies" model 😏
Sadly, “regulations” will inevitably be twisted to tip the playing field in favor of the established, moneyed players. No body of regulation ever made it easier for new entrants to compete. This may signal the beginning of the end of software innovation: universal Windows-ification.
I don't have a problem with anodyne pledges not to commit well understood vulnerabilities... but if that's all that "secure by design" means, then this is just posturing. To me, the important discussion is around who should decide what "secure" means. Of the possible candidates, I think government is pretty close to last. IMO they should stick to forcing organization to be transparent and letting the market sort it out.
Arguably, this did sort of happen to security via the PCI DSS and the “chosen seven” technologies prescribed for any company handling payment data. It had a profound impact on IDS, WAF (which almost everyone chose instead of code reviews), SIEM, FIM, etc
In case anyone else isn't familiar with these acronyms, IDS = " Intrusion Detection System ", WAF = "web application firewall", SIEM = "Security Information and Event Management", FIM = "file integrity monitoring".
With all the power big tech wields in Washington as is, regulation will ABSOLUTELY be used to bar competitors from getting off the ground. I'm sure they'll also carve out some nice loopholes for themselves in the process. I guess all that "credit monitoring" in the aftermath of breaches is getting too expensive, so let's replace it with the "we're not gonna do a damn thing and you'll take it because we're all monopolies" model 😏
Sadly, “regulations” will inevitably be twisted to tip the playing field in favor of the established, moneyed players. No body of regulation ever made it easier for new entrants to compete. This may signal the beginning of the end of software innovation: universal Windows-ification.