U.S. Government Rolls Out Fresh Framework to Boost Software Supply Chain Security
Securing the Software Supply Chain: Recommended Practices Guide for Suppliers is the second part of a three-part series for guidance on best practices for developers, suppliers, and customers.
This week, three federal agencies jointly released Securing the Software Supply Chain: Recommended Practices Guide for Suppliers under a public-private partnership initiative called Enduring Security Framework (ESF). The document serves as guidelines for securing the software supply chain.
Software supply chain risks, i.e., easy-to-exploit weaknesses in the digital infrastructures of vendors, suppliers, MSPs, etc., aren’t new, with one of the first going back to 1982. Since then, a fair share of attacks have originated from the software supply chain, including the attack on Target, Altair Technologies, Piriform, ME Doc (NotPetya attack), and more.
However, it wasn’t until the 2020 SolarWinds attack that impacted government entities and private companies that supply chain attacks emerged as a significant concern for governments and organizational decision-makers alike. The attack on SolarWinds’ widely-used Orion platform, widely considered a cyberespionage campaign that remained undetected for months until December 2020, affected almost 18,000 SolarWinds customers who downloaded a malicious update that allowed hackers to set up backdoors to the systems of almost 100 organizations.
Later the Log4Shell vulnerability in the Log4j logging utility came as a grave reminder of the prevalence of supply chain risks emanating from the widespread use of open-source tools. In fact, Sonatype’s 8th Annual State of the Software Supply Chain Report revealed a 633% year-over-year increase in attacks against open-source, public repositories and a 742% average yearly increase in software supply chain attacks since 2019.
Spring4Shell, Text4Shell, Python and other vulnerabilities, not to mention weak links in the security of public repositories, have also had a marginally less but significant impact on organizations worldwide.
See More: Why Software Bill of Materials (SBOM) Is Critical To Mitigating Software Supply Chain Risks
“There is an increased need for software supply chain security awareness and cognizance regarding the potential for software supply chains to be weaponized by nation-state adversaries using similar tactics, techniques, and procedures (TTPs),” reads Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.
The 45-page document is the second part of a three-part series for guidance on best practices for developers, suppliers, and customers. Part one, which focuses on developers, was released in September 2022.
“Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third-party components, and harden the build environment,” the National Security Agency (NSA), which is one of the federal agencies involved in developing the guidelines, stated.
“But the supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.”
The release of these guidelines follows president Joe Biden’s 2021 executive order to protect U.S. national interests and shore up critical infrastructure against an ever-increasing onslaught of foreign and domestic cyberattacks. Besides the NSA, the guidelines were prepared by the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI).
Securing the Software Supply Chain: Recommended Practices Guide for Software Customers should be available in late November or early December 2022.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON SUPPLY CHAIN SECURITY AND THREATS
