Software is the invisible infrastructure of our world, powering everything from critical systems to everyday devices. But its ubiquity makes it a prime target. The question is not just how secure this software is, but who bears the ultimate responsibility for safeguarding it from increasingly sophisticated threats? This is a critical question for IT security professionals, software developers, and indeed, all of society.
The software supply chain provides a significant amount of innovation, but also it is the source of many hidden risks. While it enables critical operations, it also presents a significant attack surface. Even federal agencies, entrusted with safeguarding sensitive data, are exposed to vulnerabilities stemming from their reliance on external software. This reality demands a fundamental shift in how we approach software security, one that prioritizes proactive measures to identify and mitigate risks throughout the entire supply chain
Moreover, getting agencies and organizations to update their software can be a losing game. In 2023, 33% of applications were still vulnerable to the infamous Log4shell remote code execution from 2021. This is why regulators have turned their eyes to the software supply chain.
Federal Policy and New Mandates
In alignment with National Institute of Standards and Technology (NIST) guidelines, the Cybersecurity and Infrastructure Security Agency (CISA) announced new mandates including the Secure Software Development Attestation form requiring federal software vendors to follow software development security best practices. Examples include keeping their systems secure, checking software supply chain sources, providing information about software origins, and addressing vulnerabilities. Drafted to comply with Executive Order 14028, these practices are based on the NIST Secure Software Development Framework (NIST SP 800-218). The form gives the Office of Management and Budget (OMB) a way to ensure federal contracts choose secure vendor software, maintaining system resilience to cybercriminals.
The new form is a way for CISA and OMB to verify that software producers take responsibility for the security of their software and fix vulnerabilities before selling it to the government. Requiring developers to attest their software’s security is an important motivator. It gives developers clarity on steps to secure software before selling to third parties and affecting end users. These government-focused requirements are just the start. This process needs to become a well-oiled and necessary process across critical infrastructure.
Shocking Survey Results
The deadline for submitting the attestation form was June 11, 2024, for critical software and September 11, 2024, for all software, yet, a survey of over 100 security professionals at the RSA cybersecurity conference revealed that only 35% of industry insiders had even heard of E.O. 14028, and roughly half of those familiar with it are unaware of its criteria.
This lack of knowledge and preparedness is alarming, considering the potential consequences of non-compliance. Software producers who fail to submit the form or provide false or incomplete information could face legal and financial penalties, as well as damage to their reputation and trustworthiness.
The survey also revealed that many security professionals did not have the tools or resources to identify and mitigate security risks in the software supply chain. Open-source software components are widely used in software development but can introduce new vulnerabilities and dependencies.
Over half of the survey respondents said their companies used open-source software components, but only 16% said the average open-source software was secure. Additionally, only 56% of respondents reported having tools to detect security vulnerabilities in open-source software, with 24% unsure and 20% lacking the tools.
The survey also highlighted the challenges that security professionals face with budget limitations and staffing shortages. Nearly half of the respondents said they were struggling with budget constraints, and one-third said they lacked the personnel to adopt proper software supply security measures.
How do we go forward?
These findings suggest that there is a significant gap between the government’s expectations and the industry knowledge and capabilities to secure software development. While the government is trying to improve the nation’s cybersecurity by imposing new rules and standards, many software producers are not ready or not making it a priority or worse yet, not willing to comply.
To close this gap, software producers and security professionals need to educate themselves and their organizations about the latest compliance regulations and best practices. They also need to prioritize the creation and upkeep of SBOMs, which can help them track and manage the components and sources of their software. Teams need to invest in tools and technologies that can provide real-time visibility into the quality and security of their software, as well as alert them of any vulnerabilities or anomalies.
Secure software development is not only a matter of compliance, but also a matter of responsibility and trust. When software developers confirm the security of their products and take responsibility for any vulnerabilities, they protect their own interests and enhance national security and public well-being. Software consumers who demand and verify the security of their software are not only protecting their own data and systems, but also holding software producers accountable and encouraging them to improve their practices. Together, software producers and consumers can create a more secure and resilient software supply chain, and nation.
About the Author
Nick Mistry is SVP & CISO of Lineaje, with over 20 years of experience in the development and implementation of new and emerging technology solutions. Nick has experience leading cloud security, application security and cyber initiatives at multinational corporations and Government. Also led technical architecture efforts to implement the US Federal Government Data Consolidation program, FedRAMP and HealthCare.gov “fix it” initiatives supporting DoD, GSA and CMS respectively. Recipient
of the Ken Ernst North America Innovators Award. https://www.lineaje.com/
