Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

US Gov Issues Guidance for Developers to Secure Software Supply Chain

Three U.S. government agencies — Cybersecurity and Information Security Agency (CISA), the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) — have announced the release of the first part of a three-part joint guidance on securing the software supply chain.

Three U.S. government agencies — Cybersecurity and Information Security Agency (CISA), the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) — have announced the release of the first part of a three-part joint guidance on securing the software supply chain.

The guidance has been created by the Enduring Security Framework (ESF), a cross-sector working group led by the NSA and CISA and focused on addressing the risks threatening critical infrastructure and national security.

The first part of the series, the Securing Software Supply Chain Series – Recommended Practices for Developers [PDF], provides recommended best practices for software developers looking to improve the security of the software supply chain.

“This document will provide guidance in line with industry best practices and principles which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure,” the group said.

Meant to be applicable to a multitude of scenarios, the guidance offers actionable recommendations for a secure software development lifecycle (Secure SDLC), a first step towards a secure software supply chain.

Development teams are advised to adapt and customize the secure SDLC process to meet their specific needs, identifying the procedures and policies they can use to ensure the implementation of secure development practices.

“The top-level organizational management team must ensure secure development policies and procedures are supported within the budget and schedule and are implemented and adhered to by the assigned development teams,” the guidelines added.

The document details common threat scenarios that may occur during the software development lifecycle and provides recommendations on mitigations, architecture and design documents, the creation of threat models and security test plans, release criteria, vulnerability handling policies, and assessment and training.

The guidelines also recommend various Secure SDLC processes and practices provided by NIST, Carnegie Mellon University, OWASP, US-Cert, OpenSSF, and others.

Related: Software Supply Chain Attacks Tripled in 2021: Study

Related: Cyber Insights 2022: Supply Chain

Related: CISA, NIST Provide New Resource on Software Supply Chain Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.