- Federal authorities, including the National Security Agency and the Cybersecurity and Infrastructure Security Agency, released software security guidelines Thursday, which are designed to help developers improve their practices in order to avoid future catastrophic nation-state attacks like the 2020 SolarWinds campaign or massive vulnerabilities like Log4j.
- The 64-page guidelines were created through the Enduring Security Framework, a public-private working group led by the NSA and CISA, which offers guidance on cybersecurity threats to critical infrastructure across the U.S.
- The agencies, which also included the Office of the Director of National Intelligence, said the guidelines offer expert advice on developing and building secure code, verifying third-party components and hardening the build environment.
The Biden administration is heavily focused on gaining control over the nation’s critical infrastructure following the SolarWinds supply chain compromise in 2020. A series of historic ransomware attacks, including the May 2021 incident that forced a temporary, but massive fuel disruption at Colonial Pipeline, have heightened the administration's concerns.
“Malicious cyber actors routinely exploit vulnerabilities within software supply chains, an issue which spans both commercial and open-source software,” a spokesperson for NSA said in an emailed statement. “This impacts both private and government enterprises. U.S. cybersecurity authorities are releasing this guidance to help software developers understand commonly exploited controls and how to mitigate the issue.”
NSA cited both the SolarWinds and Log4j vulnerability, noting the issue has led to a greater need for security awareness regarding the software supply chain and an increased potential for those chains to be weaponized by nation-state adversaries.
The timing of the release is related to the release of Executive Order 14028, which establishes new requirements to secure the software supply chain, the spokesperson added.
President Joe Biden signed the executive order in May 2021 in the aftermath of the SolarWinds and Microsoft Exchange server attacks, and shortly after the Colonial Pipeline attack.
The order was aimed at preventing additional malicious criminal actors or nation-state adversaries from using software flaws to steal sensitive data, extort major U.S. companies or disrupt critical industries like energy, transportation or public works projects.
The SolarWinds campaign, which took place over more than a year, exposed that the U.S. government did not have enough visibility into the nation’s digital infrastructure. Private cybersecurity firm FireEye Mandiant actually discovered and reported the SolarWinds attack in December 2020.
For SolarWinds, the new recommendations build upon its efforts to reshape how companies create software.
“We have continued to work closely with the government and entire technology industry to establish strong public-private partnerships to protect the nation’s cyber infrastructure,” a spokesperson for SolarWinds said in a statement. “Many of the recommendations included in the new report reflect the principles we have shared at SolarWinds with our Secure by Design initiative, including hardening the software build environment.”
SolarWinds said it hopes its Secure by Design approach can help set a new standard for the industry.
The guidelines are part of an ongoing debate in the software and information security industries on when to deal with security flaws, but recent recommendations point to addressing concerns in the development stage.
“Developers play a key role in securing the software they create for their employers, but when that software is used as part of a software supply chain those responsibilities are even greater,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. “Unfortunately, like much associated with the concept of 'shifting left,' an expectation is placed on development teams that they are experts in risk assessment and can identify and protect against threats to how they develop software.”
The guidance from the ESF working panel nicely complements the Secure Software Development Framework published by the National Institute of Standards and Technology earlier this year, according to Manjunath Bhat, VP analyst at Gartner.
“While the SSDF focuses on the best practices for secure development within the context of a given organization, the ESF guidance makes an all encompassing view of the software ecosystem as a whole,” Bhat said in an email.
The guidelines are the first of a three-part series planned by the agencies. Two additional guidelines will be focused on software suppliers and software customers.