NIST updates software supply chain security guidance

The National Institute of Standards and Technology (NIST) released updated guidance on securing the software supply chain in response to the Biden administration's executive order on improving national cybersecurity.

Among NIST's recommended minimum security measures for U.S. enterprises are standardizing the language regarding software supply chain reporting and requiring attestation to security practices within software use and development.

Cybersecurity leaders will likely need to enact a cultural shift in their organizational risk management strategies in order to adopt these guidelines, according to Dr. Chenxi Wang, Managing General Partner at Rain Capital and Technical Advisory Board Member at Secure Code Warrior.

"The newest draft of 'Engineering Trustworthy Secure Systems' specifically outlines the importance of proactive risk management, including mitigation of vulnerabilities within systems and software. This requires software engineers to pay attention to and upskill in secure design principles, which should be a layer of foundational learning in their security training," said Dr. Wang.

"Security leaders can set an example for the organization by prioritizing code-level quality and safety, setting developers up for success through security program innovation. Being supported in building hyper-relevant skills helps them understand the importance of security best practices and their power to make a difference."

With the focus on development-level cybersecurity, Chief Information Security Officers (CISOs) may shift and grow their relationships with information technology (IT) and software development teams to prioritize security from the beginning of the software lifecycle.

"I think we are reaching a point where CISOs are generally becoming more interested in the security potential of development teams and what they are doing to protect the organization from devastating data breaches," said Dr. Wang.

"In that sense, I think there will be some new empathy for software developers' plight and their competing priorities, which will, in turn, assist in CISOs having a better understanding of right-fit tools, training and processes to help them achieve security at speed."

Madeline Lauver is the Editor in Chief of Security magazine. Lauver joined Security in 2021 as its Assistant Editor, and she covers news affecting enterprise security leaders, including physical security, cybersecurity, leadership and management, risk and resilience and more. Within her role at Security, Lauver focuses on news articles, web exclusives, features and several departments for Security’s monthly digital edition, as well as managing social media and multimedia content. Lauver graduated in 2019 with a B.A. in English, German and Media Studies from Kalamazoo College.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.