Jon Gaines, senior application security consultant at nVisium, said the repercussions for failing to secure software build pipelines should “absolutely” include larger fines, mandatory third-party audits or even monetary payments.
“In my opinion, threatening more consequences won’t have a huge impact, though,” he said. “Yes, a breach or a hack costs more than fixing a potential problem earlier and I think that this issue needs to be solved in the same way: beforehand.”
From Gaines’ perspective, providing company tax breaks for going above and beyond regulations and the law is the best way to make companies take this seriously—not throwing more fines and penalties at the problem.
“You have this blatant disconnect between executive concern and executive action because of a common mindset of, ‘It will never happen to me’ or even ‘We are too small to be a target’,” he said. “As it sits, you can’t force a software vendor or platform to disclose its own security practices. In addition, you also can often pass off some of the responsibility to the third party if you use their software.”
Because organizations don’t want the onus and responsibility, it is essentially out of sight and out of mind. Gaines noted it’s also extremely costly for an organization to audit a third-party software company.
Lastly, there’s the fact that an organization may not even have the ability to create or audit the software themselves.
“Essentially, if you’re a user at a non-technical company, you can’t refuse the software the company has already adopted,” he pointed out. “And if they do, said software vendor has plenty of other companies willing to do so.”