Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Supply Chain Security

CISA, NSA, ODNI provide developers with software supply chain guidance

September 05, 2022
CISA, NSA, ODNI provide developers with software supply chain guidance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) have released actionable guidance for software supply chain development, production, distribution, and management processes, to increase the resiliency of these processes against compromise. All organizations have a responsibility to establish software supply chain security practices to mitigate risks, but the organization’s role in the software supply chain lifecycle determines the shape and scope of the responsibility. 

The guidance, titled ‘Securing the Software Supply Chain for Developers’ has been created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA, focusing on software developers and provides suggested practices to ensure a more secure software supply chain. The ESF has established the guidelines to serve as a compendium of suggested practices for developers, suppliers, and customer stakeholders to help ensure a more secure software supply chain. 

The current guidance is organized into a three-part series and will be released coinciding with the software supply chain lifecycle. The first part of the series focuses on software developers, the second part focuses on the software supplier, and the third part covers the software customer. The series will help foster communication between these three different roles and among cybersecurity professionals that may facilitate increased resiliency and security in the software supply chain process.

The document recommends principles that developers may use to help secure the software development lifecycle (SDLC), an important process used to protect the software supply pipeline. It also includes another section that covers a collection of appendices supplementing the preceding section. Each section contains examples of threat scenarios and recommended mitigations. Threat scenarios explain how processes that compose a given phase of the SDLC relate to common vulnerabilities that could be exploited. The recommended mitigations present controls and mitigations that could reduce the impact of the threats. 

Acquiring organizations may use the guidance as a basis of describing, assessing, and measuring security practices relative to the software lifecycle, the document said. “Additionally, suggested practices listed herein may be applied across the acquisition, deployment, and operational phases of a software supply chain.” 

The software supplier (vendor) is responsible for liaising between the customer and software developer. Accordingly, vendor responsibilities include ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and mitigations of vulnerabilities. 

The guidance contains recommended best practices and standards to aid suppliers in these tasks. It will provide guidance in line with industry best practices and principles which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure, such as environments, source code review and testing.

The secure SDLC process starts when the supplier’s program management team collects feature requests from their customer’s user base, technical base, and marketing teams, the guidance said. These features cover operational and security enhancements to the product and are used to generate use cases that are then formulated into prioritized requirements. The supplier and developer management teams work together to define the requirements that are used to produce the architecture and high-level design that a development team uses to produce a product. In addition, the combined management team defines the product development security policies and practices that are used when producing the product. 

The process also defines how development activities will be structured and what artifacts will be collected for verification and validation. When developing and delivering a product, some common threats which may occur during the SDLC include an adversary intentionally injecting malicious code or a developer unintentionally including vulnerable code within a product.

It may also involve incorporating vulnerable third-party source code or binaries within a product either knowingly or unknowingly and exploiting weaknesses within the build process used to inject malicious software within a component of a product. It may also cover modifying a product within the delivery mechanism, resulting in the injection of malicious software within the original package, update, or upgrade bundle deployed by the customer.

The document lays down recommended mitigations that the supplier and developer management team should set policies that ensure development organizations have security-focused principles and guidelines in place. These measures include generating architecture and design documents, gathering a trained, qualified, and trustworthy development team, and creating threat models of the software product. 

Additionally, organizations must define and implement security test plans, describe release criteria and evaluate the product against it, and establish product support and vulnerability handling policies and procedures. It also suggests assessing the developers’ capabilities and understanding of the secure development process and assigning training, and documenting and publishing security procedures and processes for each software release. 

The guidance says that the management team defines policies and procedures used to assess developers’ capabilities and provide an understanding of the secure development process. These policies should address who requires training, how frequently they must train, who is authorized to conduct the training, relevant training topics, and how to evaluate the trainee’s ability to meet the standards established by the training. 

Security training for the development team is ideally conducted by a centralized, expert security team who can help product teams grow their expertise in secure development. It also provides engineers with a point of contact when they have specific security questions. The training should include secure software development and design, secure code reviews, software verification testing, and the use of security and vulnerability assessment tools during development. 

“As the cyber threat continues to become more sophisticated, adversaries have begun to attack the software supply chain, rather than rely on publicly known vulnerabilities,” the NSA said in a statement, on the release of the software supply chain guidance for developers. “This supply chain compromise allows malicious actors to move throughout networks seemingly undetected. In order to counter this threat, the cybersecurity community needs to focus on securing the software development lifecycle.”

Recent cyberattacks such as those executed against SolarWinds and its customers, and exploits that take advantage of vulnerabilities such as Log4j, highlight weaknesses within software supply chains, an issue that spans both commercial and open source software and impacts both private and federal enterprises. Accordingly, there is an increased need for software supply chain security awareness and cognizance regarding the potential for software supply chains to be weaponized by nation-state adversaries using similar tactics, techniques, and procedures (TTPs). 

Apart from supply chain attacks, the critical infrastructure sector has also faced a spate of ransomware attacks. Following the DarkSide ransomware attack against Colonial Pipeline, U.S. President Joe Biden released last May Executive Order 14028, which focuses on improving the nation’s cybersecurity posture. It also establishes new requirements to secure the federal government’s software supply chain and called upon the federal government to take action to improve the security and integrity of the software supply chain, with a priority on addressing critical software.

In July, the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the CISA sought inputs that address weaknesses in software, a key component of critical infrastructure systems. The collaboration is also looking for technology that will enable stakeholder visibility into software supply chains and new risk assessment capabilities due to the growing fact that cyber-attacks can lead to outages or damage to safety and life-critical systems.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights