White House issues a memorandum on software supply chain security.

The White House yesterday issued guidance for Federal agencies’ use of software security practices. The memorandum instructs agencies to obtain a self-attestation from software providers that their products are in line with NIST’s security guidelines:

“Ensuring software integrity is key to protecting Federal systems from threats and vulnerabilities and reducing overall risk from cyber-attacks. The NIST Guidance provides ‘recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development.’ Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.”

Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said in a statement, “The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”

Industry experts were quick to comment on the new guidelines.

Tom Kellermann, CISM, Senior Vice President of Cyber Strategy at Contrast Security sees the memorandum as an important early response to a growing risk:

"Software supply chains are under siege. Cybercriminals and spies are attacking software development, integration, and delivery infrastructure. Hijacking of the government’s digital infrastructure allows for adversaries to conduct island hopping, which increases the need for expanded national security and economic security enforcement. Given the sophistication of recent software supply chain cyberattacks, ensuring software integrity is paramount to protecting Federal systems systemic cyberattacks. Because of that, I applaud this proactive mandate by the administration. Continuous monitoring must expand to software development. As a next step, the administration should expand the guidance to include automation of interactive application security testing to ensure vigilant digital transformation."

 James McQuiggan, security awareness advocate at KnowBe4, points out that the memorandum is advisory, not prescriptive:

 “The documents coming forthwith are guidance and not regulation. Unlike the FEDRamp compliance, where it's mandatory, this supply chain security is written as guidance. It should be integrated with the FEDRamp compliance to ensure that all organizations providing software or software services to the government comply with the criteria in the soon-to-be-published guidance. Included in the guidance is a requirement of training. However, this training is not to develop secure software but to understand the guidance and how to implement it within the supporting organization. If organizations can provide Secure Development LifeCycle (SDLC) training to their developers and integrate those concepts into their organization's culture, it will effectively improve the quality of the software. Having security top of mind and embedded into the culture for all users can reduce the risk of data breaches, leaks, and misconfigured software.”

Chris Wysopal, Co-founder and Chief Technology Officer at Veracode, regards the memorandum as a sign of the growing pressure both the public and private sectors are under to address the security of the software supply chain:

“Today’s release of the Office of Management and Budget (OMB) memo is a reminder of the mounting pressure on government agencies – and their industry partners – to constantly work towards improving their cyber hygiene, while maintaining and strengthening security and compliance with cybersecurity regulations. As the public and private sectors consider this memo, they must prioritize the security of their software supply chains. By baking security into the development process, or “shifting left”, all involved in the federal cyber ecosystem – from agencies to vendors – can work together to deliver better user experiences in a secure environment, and provide a positive impact on the mission. As federal agencies look to comply with the approaching deadlines laid out in this document, they should critically review their existing software security strategies and ensure application security testing is embedded into the software development lifecycle.” 

 Rhys Arkins, Vice President of Product Management at Mend, thinks that the government has an important role to play in developing and promulgating best practices, in particular risk modeling:

"The release of this memo highlights the growing need to secure the software supply chain and that the US government is committed to helping organizations identify best practices to remain secure. At this time, it’s hard to tell whether this guidance will result in any significant change as some of the requirements are fairly subjective. For example, the guidance to use forms of risk modeling to help assess the security risk for software is an easy tactic an organization can take without changing much of their larger strategy. Looking ahead, to build upon this and elicit real change, the US government will need to ask for detailed proof and justification and be willing to make decisions based on these responses. These actions will push organizations to do more than just check boxes."

Travis Hoyt, CTO of NetSPI, sees implications not just for code, but for the environment in which code is developed:

"Today’s guidance from the Biden administration not only dictates the effort software developers must put into their code, but how they manage their own environments, as well. First, the introduction of a Software Bill of Materials (SBOM) is bound to have the greatest impact to security, but it also brings with it a learning curve as creating an SBOM may be a net new requirement for some firms. Additionally, the ubiquitous use of open source software means that developers leveraging these packages must pay greater attention to who is contributing to them and what is being incorporated into their products.

"Proactive penetration testing and source code review will prove critical to ensuring that given the changes, organizations are adhering to the latest guidance properly to better protect the software supply chain. Overall, this latest guidance is a step in the right direction for supply chain security, which has continued to plague the public and private sectors for far too long.

Rick McElroy, Principal Cybersecurity Strategist at VMware, thinks that the memorandum has a real chance of advancing security in the public sector, and, through that sector's vendors and contractors, in the private sector as well:

"This order attempts to address significant cyber security weaknesses and shore up governmental agencies' control framework. It aims to modernize their approach to public-private intelligence sharing and move the agencies towards zero trust. These are all worthy and long overdue goals. The executive order continues to show this administration’s commitment to a stronger cyber defensive posture. While the timeline seems aggressive based on typical procurement times from agencies, I believe this order will meaningfully move the needle for public sector security. This guidance will have a major impact on any provider of technology services or software to governmental agencies. Suppliers of these services and technology should be prepared to respond to the requirements of this order."

Kev Breen, Director, Cyber Threat Research, Immersive Labs, sees implications for both training plans and application security: With respect to training, any successful security program should address the readiness of an organization's personnel:

"Cybersecurity is an increasingly pressing area of concern for governments and businesses in the U.S. and worldwide. We believe that a people-centric approach is a key component of any successful cybersecurity initiative, including a greater focus on proving organization-wide cyber resilience. Traditional software approaches and outmoded one-off training sessions or certificates are not enough in today's threat environment. Cybersecurity needs to be a team sport with organizations continually assessing, building, and proving cyber preparedness through real-world simulations.

And application vulnerabilities are increasingly worrisome:

"Application security (AppSec) vulnerabilities are increasing. Attackers consistently look for new ways to exploit applications, and even the smallest of vulnerabilities can lead to a full-blown data breach. Yet, executives’ focus on rapidly shipping new products to market means that cyber-security is not always the top priority, potentially exposing companies to millions in lost revenue and damaged brand reputations. To safeguard companies, application developer (AppDev) teams need to upskill their people, prepare for rapidly evolving vulnerabilities, and prove their readiness to confront them. Despite the marketing hype, AppSec software and classroom-based training exercises alone fail to meet the mark. While AppSec software can provide a first-line of defense, it can’t measure preparedness. Likewise, making teams take online cyber-security quizzes or get a one-time certificate is woefully inadequate for developing the skills necessary to thwart emerging threats. Today, a new people-centric approach to team learning and preparedness called Cyber Workforce Resilience is paving the way for better security. The future of AppSec will include sophisticated tools that simulate real-world threat situations, allow teams to practice effective security protocols without fear of breaking their code, and help enterprises benchmark capabilities across the entire SDLC. Cyber resilience for the organization will increasingly be expanded to the entire workforce. Savvy enterprises are already implementing such tools to protect their end-users, reputations, and revenues, while proving their preparedness to senior leadership teams and their Boards."

Additional comments received 9.15.22.

Jon Geater, Chief Product and Technology Officer at RKVST, approves of the memo: "We applaud the White House for its commitment to a modern strategy for cybersecurity in the U.S. Today's memo sets out guidance and timelines for government agencies to comply with EO 14028 and underscores the importance of tools that securely distribute software supply chain information among all relevant stakeholders and attest to the provenance and integrity of software in critical use cases," said Jon Geater, chief product and technology officer at RKVST."

Rezilion's Director, Vulnerability Research, Yotam Perkal sees it as a step in the right direction but points out that self-attestation, like using a software bill of materials, isn't sufficient to address the challenges of software supply chain security:

"Stating that a Software Bill of Materials (SBOMs) may be required by the agency in solicitation requirements isn’t good enough as software is dynamic and so are the components within it. Dependencies change over time or become obsolete. While requiring these attestations is definitely a step in the right direction, as it stands now, meeting NIST’s security best practices is required only once with an SBOM, which is only a snapshot in time of software dependencies and does not provide the real-time context that organizations need to truly see their attack surface.

"Unless the SBOM is provided per version, or the entity that consumes the product has some way of generating updated information when a vulnerability like Log4Shell surfaces, organizations will still struggle to understand whether or not they are affected. Also, it notes an SBOM is only a recommendation and not mandatory. This doesn’t go far enough.

"I think it is crucial to ensure the format of this “common form” is machine readable to allow for automation and ease of consumption/sharing. And again, it is paramount that these attestations will be live documents that are updated as new versions of the software are released to keep them from going stale and getting to a point in which they no longer reflect the real security posture of the software."