Guidance has been released by the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) on steps that can be taken by developers to secure the software supply chain.
Cybercriminals and nation-state threat actors have targeted the software supply chain to efficiently attack large numbers of businesses, such as the SolarWinds hacking incident on the company and its customers, and the exploitation of vulnerabilities such as Log4J. These attacks prompted President Biden to issue an Executive Order on Improving the Nation’s Cybersecurity, which established new requirements to secure the software supply chain for the federal government, including conducting systematic reviews, process improvements, and setting security standards for software suppliers, developers, and customers who acquire software for the Federal Government.
The guidance – Securing the Software Supply Chain: Recommended Practices for Developers – was developed by the Enduring Security Framework, a public-private partnership tasked with addressing threats to critical infrastructure and national security systems. The aim of the guidance is to help developers to follow security best practices and implement measures to make it harder for software supply chain attacks to succeed.
The software supply chain has become more sophisticated, and adversaries have started attacking the supply chain rather than exploiting known vulnerabilities. By exploiting software supply chain vulnerabilities, adversaries have been able to compromise and move through networks undetected. Steps must urgently be taken to address this issue and the cybersecurity community needs to work together on securing the software development lifecycle.
“This document will provide guidance in line with industry best practices and principles which software developers are strongly encouraged to reference,” wrote the agencies in the guidance. “These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).”
Two further guidance documents will be released on securing the software supply chain, one of which will provide best practices for software suppliers and the other for customers.