 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Supply chain challenges have been in the news for quite some time. What hasn’t been a part of that discussion is the potential security risks to both physical product supply chains and the software supply chain.
The issue caught the attention of President Biden, who issued an executive order on May 12, 2021, titled “Improving the Nation’s Cybersecurity.” In section four of the executive order, “Enhancing Software Supply Chain Security,” multiple directives were issued, including instructions for publishing guidelines related to software development security for a wide range of issues concerning developing and deploying critical software.
A result of the executive order was a special publication by the National Institute of Standards and Technology titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM),” published in May of 2022. This 326-page document outlines a range of actions and prescriptive controls to implement C-SCRM practices.
The Cybersecurity and Infrastructure Security Agency (CISA) is leading government efforts by establishing a central reference point for multiple initiatives to address supply chain security risks. The CISA website has links to a wide range of informational and educational content. Information and communications technology (ICT) serves a critical role in our nation’s technology infrastructure. CISA has helped to sponsor the ICT Supply Chain Risk Management Task Force to identify and develop strategies focused on ICT supply chain security.
Many of the general supply chain threats sound similar to those you would expect to find in a list of corporate network security threats. The most prevalent attack comes from granting privileged access to outside vendors or to third-party software. This type of threat can be mitigated using a zero trust approach to granting privileges.
Another potential threat comes in the form of communications between a vendor’s network and the vendor’s software located on a customer’s network. While ostensibly used to provide software updates and even security fixes, this type of communication could be used as an attack vector by a malicious actor.
The Microsoft Open Source Software (OSS) Secure Supply Chain (SSC) Framework is an open guide to establishing best practices with regard to open source software used in supply chain software. The guide provides both potential threat sources and best practices to mitigate those risks.
CISA identifies five key steps needed to formulate a risk management program with regard to software supply chain security.
As one of the first steps toward mitigating risk, corporate support for a supply chain security policy should include simple things like a password policy, a corporate commitment to funding support for a cybersecurity team, and regular employee education. Many incidents, such as ransomware, find opportunities through email phishing campaigns and other personnel-involved attacks.
One of the key essentials identified in the CISA ICT SCRM Essentials document requires you to know your supply chain and suppliers. This includes identifying your supplier’s sources when possible. This can help identify any potential risks connected with external situations, such as international shipping bottlenecks.
Developing and deploying software in a secure fashion is no small task. The CISA publication “Securing the Software Supply Chain: Recommended Practices Guide for Developers” lays out a set of recommended guidelines “to help secure the software development life cycle (SDLC).” The Association for Computing Machinery (ACM), Carnegie Mellon University, the Massachusetts Institute of Technology and others are listed as references for examples, SDLC processes and practices, and additional information.
The NIST publication titled “Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities” is also listed as a primary source for risk management as well as steps that should be taken in the full life cycle of software development. This includes such things as programming languages, test frameworks, source code control and the use of standardized development environments.
Another consideration called out by the Recommended Practices Guide concerns threats posed by insiders. While rogue employees can’t always be prevented, policies can be put in place to help reduce the risk they present. This can include education in writing secure code and the use of least privilege when necessary.
Making security a priority throughout the supply chain, including the software supply chain, will greatly reduce corporate risk. CISA provides a wealth of resources to help any team get up to speed on the latest standards and procedures related to supply chain security. Better to invest in the necessary resources and personnel ahead of time than pay the price of a significant compromise down the line.
