With ransomware attacks increasingly impacting businesses, government agencies and critical infrastructure, President Joe Biden last week signed an executive order (EO) designed to shore up the nation’s cyber security. Among the seven sections described in the order, one requires a zero-trust model among government agencies, another tries to foster information sharing between the government and private sector, and a third establishes stricter security standards for any technology products sold to the government.
SEE: Checklist: Security Risk Assessment (TechRepublic Premium)
Most of the rules and requirements defined in the EO are directed at the government. The goal is to control how federal agencies not only handle security incidents but also procure and use hardware and software from the private sector. As the government is a significant purchaser of technology products, the hope is that vendors and developers will place a greater focus on security if only to keep one of their major customers happy.
But the same products that vendors and developers design for the government also end up in the hands of corporations and other businesses. Ideally, this should create a trickle-down effect in which the private sector starts demanding the same attention to security required by the government.
What will this new scenario mean for the companies that create and sell hardware and software? A report published last Thursday by supply chain security firm Finite State offers advice on how vendors and developers should prepare to follow the guidelines in the EO.
Section 4 of the EO is called Enhancing Software Supply Chain Security. This one cites the problem of too many software programs that lack transparency, are unable to resist cyberattack, and have vulnerabilities that can be exploited to attackers. To address this issue, software developers will have to offer proof of the security of their products, their testing methods, any known vulnerabilities, and their ongoing security process. But simply filling out a questionnaire about their software development will no longer suffice, according to Finite State.
Instead, Finite State urges developers to adopt the following practices:
- Choose a specific person to act as an owner for product security, for example, a Contractor Program Security Officer (CPSO).
- Use automated tools to grab a reliable inventory of all the components of your software products, including elements from third-party software.
- Set up automated and scalable testing and remediation throughout the entire development of your product.
- Understand your own suppliers and their supply chains, including the use of an accurate and up-to-date inventory.
Section 3 for Modernizing Federal Government Cybersecurity will require software developers to employ automated tools or similar processes to maintain trusted source code, thereby ensuring its integrity.
To follow this requirement, developers should make sure that their engineering teams, development environments, and all source code are secured via best practices in a documented process, Finite State said. One of the best defenses against possible compromise is a traceable path from the original source code to your final software product.
Section 3 also requires that developers use automated tools or similar processes to check for and resolve any potential security vulnerabilities prior to release of the product.
For this one, developers will have to implement a strong security testing tool. Noting that this can be a challenge when testing in environments of connected or embedded devices, Finite State advises developers to develop new approaches for scalable security testing.
Section 4 obliges developers to provide customers with a Software Bill of Materials (SBOM) either directly or by posting it on a public website. An SBOM is a list of all the components that make up a software program.
Creating an SBOM can be tricky as so many applications contain third-party and open-source components rather than simply lines of code. A lot of open source and commercial tools are available that can help generate the SBOM, according to Finite State, but you’ll need to spend time training staff and developing the right processes.
Another item from section 4 requires developers and vendors to provide customers with details on the tools and processes used to test and ensure the security of a product. For this one, Finite State tells developers that the output of any security testing tools must be transparent and user-friendly enough that customers can understand it and offer comment on any identified security issues.
Finally, section 4 also requires developers to show that they’re complying with secure software development practices. As such, Finite State tells developers and vendors that they must positively state that they’re meeting the necessary security requirements. A failure to do so could kill a specific government contract, lead to an investigation, and even block them from future government contracts.
“Ultimately, this executive order signals a new era for cybersecurity that puts regulators, developers and manufacturers, and the larger cybersecurity community firmly on the same page, speaking the same language,” Finite State said in its report.” It empowers security professionals to act with confidence and organizations to build out their security infrastructure to support their needs. The end result will be a safer, more secure national ecosystem that holds all of us accountable.”