Why selling software to the government is like visiting a confessional booth

Final rules have kicked-in for companies selling software to the government. They must now attest to the fact that they used secure development practices.

Final rules have kicked-in for companies selling software to the government. They must now attest to the fact that they used secure development practices. Their reference must be the Secure Software Development Framework from the National Institute of Standards and Technology. For more, the Federal Drive with Tom Temin talked with the Chief Technology Officer of Legit Security, Joe Nicastro.

Interview Transcript: 

Joe Nicastro Yeah, it’s a great question. So largely with the SolarWinds attacks that happened. There was an executive order that came out essentially saying that NIST was going to create a new guideline or framework around software supply chain security, which ended up becoming the NIST SSDF. And then very shortly after that, [Cybersecurity and Infrastructure Security Agency (CISA)] decided to utilize that SSDF as part of an attestation for them, for companies that are selling software to the overall government. This wasn’t commenting period, but as of last week, it was finalized, which essentially means that within the next three months, all critical software that’s being sold in the government needs to have this attestation done, or non-critical software that’s being sold to the government needs to have this attestation done within six months. And essentially what this attestation  is, is a form that is being signed off by either the CEO or some other designated C-level person within that organization, or a third party authorized regulator that’s going to come in and essentially say, hey, these particular controls that are in place or in place properly. And we’re attesting to CISA that this company is following by appropriate standards and practices for their software development.

Tom Temin If you’re a Microsoft or a SAS, or a Salesforce or Oracle or any of these giants that pretty much dominate the software industry, don’t they already use secure development practices? Not that there’s never a vulnerability, but do they have anything to fear if they make this attestation?

Joe Nicastro I think most organizations have a lot of the controls that are being asked for by SSDF in place. Things like having the appropriate application security tooling, whether that static analysis, dynamic analysis, software composition analysis, etc. I think where most of the organizations are going to struggle, putting in some of these additional controls is largely going to be around the overall supply chain itself. There’s a lot of tools on the market right now that primarily focus on the risk within an application. Not a lot of tools out there that are focusing on the risk in the actual software factory that’s creating this code. And I think that’s the reason why we’ve seen a lot of software supply chain attacks increase over the last 4 or 5 years. Sometimes upwards of six, 700% year over year. So I definitely think that larger companies have the capability of meeting these controls. I think they obviously have a little bit more work to do, but definitely something that I think that they’ll be able to get done. I think the bigger struggle for especially large companies is going to be attesting to this in an automated way. I think one of the things that’s lacking in this new CISA attestation is the ability for organizations like Microsoft or these large organizations that test in an automated fashion. Right now, it’s largely PDF driven or filling out a form on a website. And when we’re doing things at the speed of development, any manual processes like this are going to slow that down. And I think that’s going to be the biggest hurdle for organizations as we move.

Tom Temin And just backing up the food chain for a moment. The reality of most commercial software is that there’s a little bit of coding by the vendor, and mostly they’ve assembled open source components that might be common to 10,000 other programs. So is that going to be an impediment to being able to safely make an attestation?

Joe Nicastro So I think again, a lot of the organizations that we’re talking about have some form of testing with regards to software composition analysis to make sure that the open source packages that they’re bringing in are healthy and don’t have a lot of risk to them. But yeah, definitely going to be a concern as we move forward, is making sure that, again, the packages that we’re using aren’t introducing additional risk into that organization. I think the bigger picture, though, is looking at how that open source and those packages are being utilized in the application as a whole within the organization to really start looking at risk holistically, as opposed to just determining whether or not there’s a vulnerability in a package that maybe not in active code, maybe not touched by the overall code that’s being used, maybe not even have a reachable vulnerability, etc.

Tom Temin We’re speaking with Joe Nicastro. He’s field CTO of Legit Security. And a final question on the vendor side, what are the consequences if they make this attestation? And then some vulnerability is exposed because I don’t think their software has been published yet where somebody can’t hack something. So what happens then?

Joe Nicastro I think this is something that we’re all waiting to kind of see. I think there’s definitely been some precedent set with, the Uber CISO going to jail and suing the this is over SolarWinds. So I, I definitely think that there’s some precedence there for there to be an ownership or an onus on the overall leader of the security programs at these companies. I don’t think that there’s a very real threat out there of what’s going to happen. Should you attest to something like that and have a breach or something that’s shown that maybe you attested to something improperly? But again, I do think that we’re starting to see a shift in the way that we’re looking at these from a legal standpoint where there is going to be some level of personal responsibility being held by either the CTO, the CISO or somebody else who’s signing these overall attestations saying that if there is a breach, there’s going to be consequences.

Tom Temin Well, hopefully they’ll get minimum security. And moving over to the government side. What do contracting officers is at the point of enforcement of this, what are you telling them they need to do now to make sure they get the right documentation of the attestation?

Joe Nicastro If we’re talking about from the government standpoint, like CISA, and what I think they need to adjust in order to make this a little bit easier for organizations, largely like we talked about some form of way of automating these overall attestations into the government. Again, if we’re talking about organizations that have 1 or 2 applications, filling out a PDF is not a large lift. But when you’re talking about organizations that have upwards of 100, a thousand, even 10,000 applications that they’re selling to the overall government, running through 10,000 manual PDF to sign each attestation becomes a very large lift. And at that point, you’re slowing down the development process to the point where, again, it’s something that most organizations are really going to think about whether or not this is something that’s important for them to do. I think if CISA could come out with some form of of way of automating these forms, whether allowing for an API ingestion or something like that, it definitely allows organizations to start to pin these attestations directly into their overall development processes so that they can start to attest to these things as development is happening with all of the controls that they already have in place.

Tom Temin Both sides then really need the grease, if you will, of an automated process that is nevertheless tied to something that legitimately happened.

Joe Nicastro 100%. The whole goal of all of the security that we put in place with development is that the security moves at the pace of development. Our goal is never to slow down that that development process, largely because, again, this is typically how businesses are making money, it’s how they’re creating feature sets, it’s how they’re keeping relevant in their their overall spaces. So if we slow that down, there’s other risk or ramifications that affect the overall business. So our goal as security should always be to implement these practices or controls in a way that that’s really invisible or transparent to the overall development process. And I think the same thing with this is attestation. Being able to grease, in your words, both sides, so that we can attest to these things in a way that’s reasonable as well as that’s giving the information that the government needs to show that these controls are in place is going to be very important to this entire program being successful.

Tom Temin And what about resellers that really do move a lot of the software? Are they just third party passthroughs and the attestation is still belongs to the vendor?

Joe Nicastro Yeah. So at that point, I think what we’re going to see with a lot of the resellers is they’re going to be spinning up services that will essentially do the attestation for them. No different than what we see with like third parties that are doing a lot of the FedRAMP attestations for that side where it’s now become a service. I think we’ll see the same thing with the CISA attestations, where organizations will start to come out and basically sell those services to organizations and say, hey, we’ll validate your controls, will make sure that everything you’re doing is according to the overall CISA attestation requirements, and then will sign off on it for you.

Tom Temin That could be a new value added, profitable service.

Joe Nicastro Yes, 100%, I definitely see that something is going to pick up with a bunch of the resellers and different types of compliance agencies out there. Again, we see it with things like FedRAMP already. We see it with  all of the other compliances out there. A lot of these compliances are really hard to meet. And so if you can have a third party come in and give you an understanding of where you have those gaps and fixing those gaps, it makes it substantially easier.


Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories