拟立法禁止采购有漏洞软件，“引爆” 络安全行业

资料引用：

Truth about that ban on US govt from buying insecure apps The Register

1、The register  8月19日 news

拟立法禁止采购有漏洞软件，“引爆” 络安全行业

2、《安全内参》8月22日消息

SEC. 6722.  DHS SOFTWARE SUPPLY CHAIN RISK MANAGE-MENT

关于软件供应链风险管理条款

(1) A certification that each item listed on the

submitted bill of materials is free from all known

vulnerabilities or defects affecting the security of the

end product or service identified in—

要求“ 提交软件物料清单中列出的所有项目，均不存在影响最终产品或服务安全性的已知漏洞或缺陷，并给出证明。”

(A) the National Institute of Standards

and Technology National Vulnerability Data-

base; and

(B) any database designated by the Under

Secretary, in coordination with the Director of

the Cybersecurity and Infrastructure Security

Agency, that tracks security vulnerabilities and

defects in open source or third-party developed

software.

已知漏洞或缺陷，是指国家标准与技术研究院（NIST）发布的国家漏洞数据库，以及 络安全与基础设施安全局（CISA）指定的用于“跟踪各开源或第三方开发软件内安全漏洞/缺陷”的数据库内列出的条目。

(2) A notification of each vulnerability or defect

affecting the security of the end product or service,

if identified, through—

(A) the certification of such submitted bill

of materials required under paragraph (1); or

(B) any other manner of identification.

(3) A notification relating to the plan to miti-

gate, repair, or resolve each security vulnerability or

defect listed in the notification required under para-

graph (2).

如果合同内包含“ 关于所列出各项安全漏洞或缺陷的缓解、修复或解决方法”，政府一方就可购买包含已知缺陷的软件。

chapter 1 ：

安全内参8月22日消息，美国立法者希望立法改善政府的部分 络安全防御措施，但却引发了信息安全专家们的质疑和不满。《2023财年国防授权法案》，对应着划拨给美国军队和政府各关键领域的数十亿美元财政预算。目前法案已经在众议院通过，接下来需要经参议院批准，最后由拜登总统签字执行。

今天要讨论的争议，集中在该法案草案看似合理的条款：管理国土安全部及其应用程序/在线服务供应链的软件级攻击风险。这份拟议法案要求，对于新签和现有政府合同，软件供应商应保证“提交软件物料清单中列出的所有项目，均不存在影响最终产品或服务安全性的已知漏洞或缺陷，并给出证明。”

所谓“已知漏洞或缺陷”，是指美国国家标准与技术研究院（NIST）发布的国家漏洞数据库，以及 络安全与基础设施安全局（CISA）指定的用于“跟踪各开源或第三方开发软件内安全漏洞/缺陷”的数据库内列出的条目。

换句话说：国土安全部不得采购任何包含已知、已登记安全漏洞的软件。

这项要求的出发点是好的，旨在防止恶意黑客利用Log4j之类的漏洞破坏政府敏感系统。但法案中的具体措辞却令行业专家颇感沮丧。一方面，任何代码都存在bug，这一条款基本上切断了政府军工部门原本强大的采购流程。另一方面，漏洞数据库中相当一部分漏洞并不属于安全风险。

总而言之，如果严格执行该项法案，那么美国政府后续将无法部署任何软件/服务。软件供应链安全厂商Chainguard的联合创始人兼CEO Dan Lorenc表示，“这项要求往好了说是受到误导，往坏了想肯定会引发大麻烦。”不过，这项要求也有回旋空间。如果合同内包含“关于所列出各项安全漏洞或缺陷的缓解、修复或解决方法”，政府一方就可购买包含已知缺陷的软件。换句话说，只要可以缓解或修复措施，就不会影响各部门的正常采购。

争议过大引发行业热议

这个问题在推特上掀起了争论热潮。有人担心软件供应商为了正常向政府客户出售软件，故意对漏洞信息知情不 （不再注册CVE编 ）。另一方面，各家企业在争夺合同的过程中，也可能会挖其他竞争者产品的漏洞作为“黑料”。

安全厂商Rapid7的高级政策主管Harley Lorenz Geiger律师在推文中提到，“立法者起草的条文相当于在说：要么放弃继续上 软件漏洞，要么被排除在软件投标范围之外，你们自己选。”“这里我要提醒一句，并不是所有安全漏洞都有严重危害，或者能够/应该缓解。感谢立法者，祝好。”

漏洞协调与众测厂商Luta Security的CEO Katie Moussouris等行业专家，则呼吁安全专家们先别反应过激。她在Twitter上写道，新法案其实允许政府官员“采购那些虽包含CVE，但已有缓解方法的软件产品”，同时提醒政府方面“在部署之前必须缓解或接受这些风险”。

市场研究公司Dell’Oro Group负责 络安全的研究主管Mauricio Sanchez也在采访中提到，虽然他理解立法者们的善意动机，但在技术采购方面设置的种种要求，很可能会阻断政府的正常部署流程。他提到，“很遗憾，这就是我们立法者的典型做法，只提要求、不讲方法。”

在Sanchez看来，这项法案的最终走向恐怕只有以下三种。

第一：立法者服软。技术游说部门等各方提出有力的反对意见，宣扬这项要求根本就无法实现（也确实无法实现），于是立法者选择删除这部分条文。

第二：做出澄清。立法者对条文“做出修正”，把这项过于理想的要求修改得更加实际。

最后：直接摆烂。立法者可能懒得费脑筋，强行出台这项新政，然后向选民们宣扬自己支持 络安全、改善美国风险水平的姿态。至于收拾这个烂摊子需要投入多少时间、精力和金钱，那就是各联邦机构和法院自己的问题了。而且Sanchez本人的看法比较悲观。“如果让我押个宝，那我赌立法者会选择最后这条。”

chapter 2：/strong>

An attempt by lawmakers to improve parts of the US government’s cybersecurity defenses has raised questions – and hackles – among infosec professionals.

The National Defense Authorization Act for Fiscal Year 2023 – which, if passed, provides billions in funding for the American military and other critical areas of the government – has gone through the House of Reps and requires Senate approval before president Joe Biden can green light it.

This draft law contains a seemingly well-intentioned section on managing the risk of software-level attacks on the Department of Homeland Security and its supply chain of applications and online services.

With respect to new and existing government contracts, the proposed act requires a software vendor to provide: “A certification that each item listed on the submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service.”

This includes vulnerabilities listed in NIST’s National Vulnerability Database or any other CISA-designated database “that tracks security vulnerabilities and defects in open source or third-party developed software.”

In other words: Homeland Security can’t buy software with any known, registered security flaws. 

While this is likely intended to prevent the exploitation of things like Log4j bugs by miscreants to compromise sensitive government systems, the act’s language at first glance is frustrating for some. For one thing, all code has bugs – so blocking purchases on that basis would halt the government’s procurement system in its mighty military-industrial tracks. Then there’s the issue of some bugs that aren’t actually a security risk being wrongly logged in vulnerability databases.

By a strict reading of this act, nothing would ever get deployed.

“This idea is just misguided at best and an impending sh*tshow at worst,” argued Chainguard co-founder and CEO Dan Lorenc.

Now the reality

However, there’s a big caveat. Uncle Sam can buy known buggy software if the contract includes “a notification relating to the plan to mitigate, repair, or resolve each security vulnerability or defect listed in the notification.” In other words, if a bug can be mitigated or is due to be fixed, it’s not a showstopper.

Still, the language sparked an outcry in the Twitterverse as well as concerns that software vendors will stop reporting CVEs – or companies competing for contracts will run bug bounties on each other.

“Policymakers: please stop considering requirements to eliminate all software vulnerabilities, or bans on sale of software with any vulnerabilities,” tweeted attorney Harley Lorenz Geiger, a senior policy director at Rapid7.

“Please understand that not all vulnerabilities are significant, or can or should be mitigated. Okay, thanks policymakers, good chat.”

Others, such as Luta Security CEO Katie Moussouris, urged security pros to take a deep breath and relax. The act allows government officials “to buy software with known CVEs that are mitigated,” she tweeted, adding that Uncle Sam “has to mitigate or accept the risk before deploying.”

• It’s 2022 and there are still thousands of public systems using password-less VNC
• Palo Alto bug used for DDoS attacks and there’s no fix yet
• Microsoft trumps Google for 2021-22 bug bounty payouts
• Homeland Security warns: Expect Log4j risks for ‘a decade or longer’

Mauricio Sanchez, a research director at Dell’Oro Group who covers network security, told The Register that while he believes the legislators are well-intentioned, the language may put officials in an impossible position when it comes to purchasing technology.

“Unfortunately, it’s typical behavior of our legislators to issue mandates that describe the ‘what’ but not the ‘how,'” he said.

Sanchez said he sees this law bill playing out one of three ways, with regards to Congressfolk. 

One: “They cave,” he said. “The technology lobbying arm or someone else raises a colossal stink that this is an untenable mandate (which it is), so legislators remove the wording.”

The second option: “They clarify,” which Sanchez noted involves lawmakers “doing the right thing” and making the mandate more practical as opposed to idealistic.

Finally, there’s a third scenario. “They punt,” Sanchez said. “They take the easy route, leave it in as is, and then claim to their constituency that they are pro-cybersecurity and improving US posture. This leaves federal agencies and courts to expend unnecessary time, energy, and money to clean and tighten up.”

He’s not too hopeful. “If I were a betting man,” Sanchez added, “I’d place the bet on number three.” /span>

关于泛联新安

泛联新安是国内领先的基础软件提供商。以程序分析专家为核心能力定位，聚焦于提供业内先进的开发支撑软件和EDA软件。

在国内率先布局，持续深耕智能程序分析、编译器技术、软件逆向分析、软件漏洞挖掘、高性能程序仿真等底层核心技术方向，研发出软件质量测试、软件安全测试、数字电路验证（EDA）三大类10余款产品，构建丰富的产品矩阵，形成了基于统一技术架构的高效产品孵化能力。所有产品全部拥有自主知识产权，并在军工、航空航天、轨道交通、金融、电力、互联 等领域积累了大量头部客户。

与清华大学合作成立北京清科智信科技有限公司，与中科院共同投资组建中科空间（长沙）信息科技研究院，与国防科技大学共建湖南省软件安全智能并行分析重点实验室，现拥有核心知识产权申请和授权发明专利、软件著作权69项，获得CWE、泰尔实验室、麒麟软件Neo Certify等多项国内外认证。

泛联新安致力于帮助企业快速构建安全、优质的软件，通过提供代码功能检测、已知漏洞比对、未知漏洞挖掘等多款检测产品，推动DevSecOps、AppSec、CI/CD战略、SBOM清单、风险评估及资产管理等软件安全理念在具体工程中的实践落地，引入从源头及时治理安全问题、洞察代码风险、为客户提供当前软件安全性活动的概况呈现及管理，助力企业更高效落地，推动产业数字化转型，提升高质量发展速度。
 

文章知识点与官方知识档案匹配，可进一步学习相关知识 络技能树首页概览22135 人正在系统学习中