Enhancing the security of the software supply chain is just as important as ensuring that physical goods and components can move smoothly from the origin to the endpoint to reach their destinations successfully. To that end, three federal agencies, the Cybersecurity and Information Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI), have announced the release of the initial portion of a three-part joint guidance document that focuses on this very subject.
The NSA and CISA formed a cross-sector working group called the Enduring Security Framework (ESF) to get this done. Although the result of their efforts is just the first part of a final overarching security product, this initial portion is entitled Securing Software Supply Chain Series – Recommended Practices for Developers.
This opening document contains a description of best practices for software developers working to improve the security of the software supply chain. Among the principles discussed are security requirements planning and development, strategies for designing secure software architecture, adding security features, and maintaining the security of systems and overall infrastructures.
These guidelines are designed to be used in numerous situations by a wide variety of businesses and applications. To that end, they have been intentionally designed to be customizable to fit the unique needs of specific organizations. As a result, IT and development teams are encouraged to tailor their particular protocols and best practices accordingly in developing a robust set of security supply chain principles and protocols.
To make that happen, those working to implement these guidelines are encouraged to build security recommendations and any necessary resource increases into their budgets and corporate timelines. Gaining support from all levels of management is another essential step toward ensuring that the principles and plans outlined in the document can be put into practice. Without stakeholders’ buy-in, even the most thorough and well-conceived plans will fail and be virtually doomed to failure.
In addition to best practices, this first part of the work group’s software security document outlines common threat scenarios that might occur during the life cycle of the software supply chain. It also recommends strategies to mitigate these threats and provides architecture and design documents, vulnerability policies, release criteria, threat models and security test plans, and assessment and training tips and protocols.
Additionally, the document highlights various secure SDLC practices and processes furnished by Carnegie Mellon University, NIST, US-Cert, OWASP, OpenSSF, and others. In the months and years to come, this fledgling software security document is sure to be reworked, enhanced, and improved in keeping with the current threat landscape and security trends. It will, as just one facet of a three-part initiative, form the foundation for greater supply chain security in the software arena.