4 ways to improve software supply chain security

February 11, 2022

NIST has just published its Software Supply Chain Security Guidelines with the hopes of improving the nation’s cybersecurity.

The following four recommendations are intended to assist federal agencies and software producers in communicating clearly with each other regarding secure software development artifacts, attestation and conformity.

Use the SSDF’s terminology and structure to organize secure software development requirements communications. This enables all software producers to use the same lexicon when attesting to conformity for federal agencies. Software producers can map their secure development methodology to the SSDF’s secure software development practices or associated informative references.
Require attestation to cover secure software development practices performed as part of processes and procedures throughout the software life cycle. With the highly dynamic nature of software today, attesting to how things were and are done on an ongoing basis (processes and procedures) is typically more valuable than attesting to how things were done for a specific software release generated by one instance of those processes. This is especially true for post-release practices such as vulnerability disclosure and response, where processes might not yet have been performed for the latest release.
Accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required.
When requesting artifacts of conformance, request high-level artifacts. The software producer should be able to trace the practices summarized in the high-level artifacts to the corresponding low-level artifacts that are generated by those practices.

These minimum recommendations apply to attestation for all software within the scope of this guidance procured by federal agencies, and they should be part of each agency’s processes, NIST says. The recommendations are not intended to replace more stringent requirements for secure software development that federal agencies may have.

These minimum practices will not be sufficient in some cases. For example, an agency may need greater visibility into the practices for a particular product to better understand how the product would affect the agency’s cybersecurity risk.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Security departments have long struggled to bring their real-time voice communications into the present, resorting to communicating with radios, unsecure applications, multiple devices, and Wi-Fi-only solutions.

Poll

Business Travel Security

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

4 ways to improve software supply chain security

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

4 ways to improve software supply chain security

Related Articles

Related Products

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.