Feds push developers to take the lead in securing software supply chain

Diving brief:

  • Federal authorities, including the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have released software safety guidelines Thursday, which are designed to help developers improve their practices to avoid future catastrophic nation-state attacks like the SolarWinds 2020 campaign or massive vulnerabilities like Log4j.
  • The 64-page guidelines were created through the Enduring Security Framework, a public-private working group led by the NSA and CISA, which offers guidance on cybersecurity threats to critical infrastructure across the United States. .
  • The agencies, which also included the Office of the Director of National Intelligence, said the guidelines offer expert advice on developing and building secure code, verifying third-party components and hardening the build environment.

Overview of the dive:

The Biden administration is focused heavily on taking control of the country’s critical infrastructure following the SolarWinds supply chain compromise in 2020. A series of historic ransomware attacks, including the incident of May 2021 that forced a temporary but massive fuel shutdown at Colonial Pipeline, heightened the administration’s concerns.

“Malicious cyber actors routinely exploit vulnerabilities in software supply chains, an issue that affects both commercial and open-source software,” an NSA spokesperson said in an emailed statement. “This impacts both private and public companies. US cybersecurity authorities publish these tips to help software developers understand commonly exploited controls and how to mitigate the problem.

The NSA cited both the SolarWinds and Log4j vulnerability, noting that the issue has led to a greater need for security awareness regarding the software supply chain and an increased potential for these chains to be weaponized by adversaries. nation states.

The timing of the release is tied to the release of Executive Order 14028, which establishes new requirements to secure the software supply chain, the spokesperson added.

President Joe Biden signed the executive order in May 2021 following attacks on SolarWinds and Microsoft Exchange servers, and shortly after the Colonial Pipeline attack.

The order was intended to prevent other malicious criminal actors or nation-state adversaries from using software flaws to steal sensitive data, extort major US corporations, or disrupt critical industries like energy, transportation, or utilities. public works projects.

The SolarWinds campaign, which spanned more than a year, revealed that the US government had no not enough visibility in the country’s digital infrastructure. Private cybersecurity company FireEye Mandiant actually discovered and reported SolarWinds attack in December 2020.

For SolarWinds, the new recommendations build on its efforts to reshape the way companies build software.

“We continued to work closely with government and the broader tech industry to build strong public-private partnerships to protect the nation’s cyberinfrastructure,” a SolarWinds spokesperson said in a statement. “Many of the recommendations included in the new report reflect the principles we have shared at SolarWinds with our Secure by Design initiative, including strengthening the software build environment.

SolarWinds said it hopes its Secure by Design approach can help set a new standard for the industry.

The guidelines are part of an ongoing debate in the software and information security industries about when to address security vulnerabilities, but recent recommendations indicate that concerns should be addressed at the design stage. development.

“Developers play a key role in securing the software they create for their employers, but when that software is used as part of a software supply chain, those responsibilities are even greater,” said Tim Mackey. , senior security strategist at Synopsys Cybersecurity Research Center. “Unfortunately, like many things associated with the concept of ‘shift to the left’, development teams expect them to be expert risk assessors and able to identify and protect against threats on how they develop software.”

The guidance from the ESF Task Force perfectly complements the secure software development framework released by the National Institute of Standards and Technology earlier this year, according to Manjunath Bhat, VP analyst at Gartner.

“While the SSDF focuses on secure development best practices within the context of a given organization, the ESF guidelines provide a holistic view of the software ecosystem as a whole,” Bhat said in an e-mail. mail.

The guidelines are the first in a three-part series planned by the agencies. Two additional guidelines will focus on software vendors and software customers.