NSA, CISA, and the Office of the Director of National Intelligence (ODNI) have shared a new set of suggested practices that software suppliers (vendors) can follow to secure the supply chain.
This guidance was developed through the Enduring Security Framework (ESF), a public-private partnership working to address threats to U.S. national security systems and critical infrastructure.
“Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software,” the NSA said on Monday.
“After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.”
The ESF will release one more advisory focused on the customer (acquiring organizations) part of the software supply chain lifecycle after issuing the first chapter in September with guidance for software developers.
You can find the complete guide of recommended practices for suppliers, including security requirements planning and maintaining software security, in today’s advisory [PDF].
This guidance was released following multiple recent high-profile cyber attacks, including the SolarWinds hack, which have highlighted software supply chain weaknesses that state-backed threat actors can easily exploit.
The danger behind supply-chain attacks has been made evident in real-world attacks multiple times since Russian threat actors compromised SolarWinds to infect downstream customers, including by Kaseya’s MSP software which was used to encrypt thousands of companies worldwide, and by how threat actors have used compromised npm modules to execute commands remotely.
After the SolarWinds supply-chain attack led to the compromise of multiple U.S. govt agencies, President Biden signed an executive order in May 2021 to modernize U.S defenses against future cyberattacks.
A new Federal strategy was released by the White House in January 2022, pushing the U.S. government to adopt a “zero trust” security model.
This move was prompted by Biden’s executive order and by both the NSA and Microsoft recommending this approach in February 2021 for critical networks (National Security Systems, Department of Defense, Defense Industrial Base) and large enterprises.
The White House’s announcement was followed in May by the U.S. National Institute of Standards and Technology (NIST) releasing updated guidance on how enterprises can defend against supply-chain attacks.
More evidence that the software supply chain is a popular and constant target came from a Microsoft report published in October 2021.
The company revealed that the Russian-backed Nobelium hacking group kept targeting the global I.T. supply after breaching SolarWinds, hacking at least 14 managed service providers (MSPs) and cloud service providers after attacking 140 since May 2021.
Source: www.bleepingcomputer.com