Securing the software supply chain – Analysis of the new national cybersecurity strategy

In March, the White House unveiled a new National Cybersecurity Strategy, which deviates from the National Cyber Strategy rolled out by the Trump administration in 2018. Among the changes implemented in the new strategy is a call to “rebalance the responsibility” of defending cyberspace, including a move away from end users and toward the “most capable and best-positioned actors,” including owners and operators of key technologies and infrastructures.

Organizations that do business with U.S. government agencies and also utilize open-source software in their development practices will soon see impacts as government clients require compliance with these new policies. Other organizations building applications with open-source software may not feel the direct effects of these new policies and regulations initially, but they should still educate themselves and stay informed.

Enter new CISA guidelines

Adding another layer to the complexity, the Cybersecurity and Infrastructure Security Agency in mid-April published new secure-by-design and secure-by-default guidelines, in collaboration with the FBI, the National Security Agency and international partners from Australia, Canada, the UK, Germany, the Netherlands and New Zealand. “To create a future where technology and associated products are safe for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers,” the report reads.

These and other continuously evolving changes impact organizations that utilize open-source software, meaning they must watch these policies and regulations closely. In the specific case of the new CISA guidelines, the organization calls for software manufacturers to:

• Take ownership of the security outcomes of their products. The idea here is to take the burden of security away from end customers. Digging deeper, the agency said secure configuration should be the default baseline where products automatically enable and utilize the most important security controls needed to protect organizations from malicious actors.
• Embrace radical transparency and accountability. As an example, CISA said software manufacturers should ensure vulnerability advisories and that associated common vulnerability and exposure (CVE) records are complete and accurate.
• Build the right organizational structure. CISA’s guidelines say this can be achieved via executive-level commitment for software manufacturers to prioritize security as a critical element of product development.

Changing the open-source software culture of accountability

The most recent guidelines from CISA and the White House underscore the importance for vendors to fully embrace the need for secure open-source software, rather than simply “checking the box.” For context, open-source software is used within mission-critical applications by 95% of IT organizations worldwide, meaning the guidelines apply to nearly every organization with a technical or software component.

This year’s new guidelines are only the most recent in a wave of security requirements affecting both enterprises and government organizations. Other recent examples include the Executive Order from May 2021, the H.R. 7900 bill, the White House Office of Management and Budget memorandum on enhancing Software Supply Chain security through secure software development practices, and the 2022 Securing OSS Act.

SBOMs: From nice-to-have to a must-have

OMB’s memo specifically referred to supply chain cybersecurity best practices laid out by the National Institute of Standards and Technology, which recommended a complete assessment of software inventory and the collection of statements from each external vendor that creates software used by federal agencies, otherwise known as a software bill of materials (SBOM).

Similar to a car or any other piece of technical machinery, software consists of many smaller parts designed to work interdependently; the entire package only works properly if every individual piece functions correctly.

In an attack on software supply chains, such as the highly publicized Log4j and SolarWinds incidents, individual components were compromised, causing the entire package to essentially malfunction and expose vulnerabilities. Returning to the car analogy, the laundry list of government-issued orders requires manufacturers to sell the best and most secure “car” to government agencies and provide details on all of the combined components — the SBOM.

Against this backdrop, rather than fretting about the new government regulations, software vendors and customers should celebrate the fact the U.S. government has embraced secure and agile software development — increasingly referred to as DevSecOps — as the new industry standard. One senator and co-sponsor of the OSS Software Act called OSS  “the bedrock of the digital world,” and those focused on securing the software supply chain wholeheartedly agree.

Ultimately, software manufacturers should embrace the habit of practicing sound cyber hygiene that helps their organization comply with new federal regulations so they can continue selling stronger and more secure software. Only this will help keep the nation’s critical infrastructure — and those that use it — secure.

Nati Davidi is senior vice president of JFrog Security.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.