Feds Push For Developers To Take Lead In Securing Software Supply Chain – Cybersecurity Dive

Feds push for developers to take lead in securing software supply chain – Cybersecurity Dive

The guidelines from CISA and the NSA come amid a growing movement to “shift left” and evaluate software security earlier in the development cycle.
The Biden administration is heavily focused on gaining control over the nation’s critical infrastructure following the SolarWinds supply chain compromise in 2020. A series of historic ransomware attacks, including the May 2021 incident that forced a temporary, but massive fuel disruption at Colonial Pipeline, have heightened the administration’s concerns. 
“Malicious cyber actors routinely exploit vulnerabilities within software supply chains, an issue which spans both commercial and open-source software,” a spokesperson for NSA said in an emailed statement. “This impacts both private and government enterprises. U.S. cybersecurity authorities are releasing this guidance to help software developers understand commonly exploited controls and how to mitigate the issue.”
NSA cited both the SolarWinds and Log4j vulnerability, noting the issue has led to a greater need for security awareness regarding the software supply chain and an increased potential for those chains to be weaponized by nation-state adversaries.
The timing of the release is related to the release of Executive Order 14028, which establishes new requirements to secure the software supply chain, the spokesperson added.
President Joe Biden signed the executive order in May 2021 in the aftermath of the SolarWinds and Microsoft Exchange server attacks, and shortly after the Colonial Pipeline attack.
The order was aimed at preventing additional malicious criminal actors or nation-state adversaries from using software flaws to steal sensitive data, extort major U.S. companies or disrupt critical industries like energy, transportation or public works projects. 
The SolarWinds campaign, which took place over more than a year, exposed that the U.S. government did not have enough visibility into the nation’s digital infrastructure. Private cybersecurity firm FireEye Mandiant actually discovered and reported the SolarWinds attack in December 2020.
For SolarWinds, the new recommendations build upon its efforts to reshape how companies create software. 
“We have continued to work closely with the government and entire technology industry to establish strong public-private partnerships to protect the nation’s cyber infrastructure,” a spokesperson for SolarWinds said in a statement. “Many of the recommendations included in the new report reflect the principles we have shared at SolarWinds with our Secure by Design initiative, including hardening the software build environment.”
SolarWinds said it hopes its Secure by Design approach can help set a new standard for the industry. 
The guidelines are part of an ongoing debate in the software and information security industries on when to deal with security flaws, but recent recommendations point to addressing concerns in the development stage. 
“Developers play a key role in securing the software they create for their employers, but when that software is used as part of a software supply chain those responsibilities are even greater,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. “Unfortunately, like much associated with the concept of ‘shifting left,’ an expectation is placed on development teams that they are experts in risk assessment and can identify and protect against threats to how they develop software.”
The guidance from the ESF working panel nicely complements the Secure Software Development Framework published by the National Institute of Standards and Technology earlier this year, according to Manjunath Bhat, VP analyst at Gartner. 
“While the SSDF focuses on the best practices for secure development within the context of a given organization, the ESF guidance makes an all encompassing view of the software ecosystem as a whole,” Bhat said in an email. 
The guidelines are the first of a three-part series planned by the agencies. Two additional guidelines will be focused on software suppliers and software customers.
Get the free daily newsletter read by industry experts
Guidelines call for developers to attest they use secure software practices.
Addressing the causes of burnout requires a top-down approach that better aligns security teams with the rest of the business.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Share your announcement
Guidelines call for developers to attest they use secure software practices.
Addressing the causes of burnout requires a top-down approach that better aligns security teams with the rest of the business.
The free newsletter covering the top industry headlines


Leave a Comment

Leave a Reply

Your email address will not be published.

4 key cybersecurity threat trends in 2023 – Security Magazine

Singtel Readies $300 Million Sale of Cyber Security Arm Trustwave, Sources Say – Bloomberg

Navigating the cyber risk danger zone – SecurityInfoWatch

Cyber Security Today, August 17, 2022 – Warnings to data collectors, users of remote access technologies and firms with wireless device location systems – IT World Canada