Cyberattacks are conducted via cyberspace and target an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of the data or stealing controlled information. Cyberattacks such as those executed against SolarWinds and its customers and exploits that take advantage of vulnerabilities such as Log4j, highlight weaknesses within software supply chains, an issue which spans both commercial and open source software and impacts both private and Government enterprises. Accordingly, there is an increased need for software supply chain security awareness and cognizance regarding the potential for software supply chains to be weaponized by nation state adversaries using similar tactics, techniques, and procedures (TTPs).
In response, the White House released an Executive Order on Improving the Nation’s Cybersecurity (EO 14028) that established new requirements to secure the federal government’s software supply chain. The Enduring Security Framework (ESF), led by a collaborative partnership across private industry, academia and government, established the Software Supply Chain Working Panel which released a three part Recommended Practices Guide series to serve as a compendium of suggested practices to help ensure a more secure software supply chain for developers, suppliers, and customer stakeholders.
Similarly, the ESF Software Supply Chain Working Panel established this second phase of guidance to provide further details for several of the Phase I Recommended Practices Guide activities. This guidance may be used as a basis of describing, assessing and measuring security practices relative to the software lifecycle. Additionally, suggested practices listed herein may be applied across the acquisition, deployment, and operational phases of a software supply chain.
The software supplier is responsible for liaising between the customer and software developer. Accordingly, vendor responsibilities include ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and mitigations of vulnerabilities. This guidance contains recommended best practices and standards to aid customers in these tasks.
This document will provide guidance in line with industry best practices and principles which software developers and software suppliers are encouraged to reference. These principles include managing open source software and software bills of materials to maintain and provide awareness about the security of software.
Views: 0
