Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

US Gov Issues Software Supply Chain Security Guidance for Customers

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the last part of a three-part joint guidance on securing the software supply chain.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the last part of a three-part joint guidance on securing the software supply chain.

The guidance was created by the Enduring Security Framework (ESF), a cross-sector working group focused on mitigating risks to critical infrastructure and national security, and provides recommendations on software supply chain security best practices to developers, suppliers, and organizations.

The first part of the series offers recommendations for software developers, while the second part is aimed at software suppliers. The third part is aimed at the software customer, representing the organizations that purchase, deploy, and maintain software within their environments.

The document (PDF) details recommended practices customers should apply when acquiring, deploying, and using software, providing examples of attack scenarios and mitigations.

Regarding software procurement, the three agencies recommend paying attention to the organization’s requirements, including security and supply chain risk management (SCRM) activities, performing product evaluation, including evaluating software bill of materials (SBOM), and evaluating suppliers before signing contracts.

This should mitigate risks associated with acquiring products that do not meet requirements or which are plagued by vulnerabilities or have been tampered with, as well as contracting suppliers under foreign control or which have poor security hygiene.

When it comes to software deployment, customers are advised to thoroughly examine products upon receiving them, to perform functional testing and validate the product from a security perspective, establish a configuration control board (CCB) in charge of product lifecycle, ensure that the product integrates with the existing environment, and monitor updates.

These deployment controls eliminate risks such as substituted or incomplete products, unexpected changes in functionality, the use of unverified components, the presence of dormant malware or malicious functionality, data leaks, infrastructure compromise, incomplete product reports, support issues, incomplete or false integration assessments, and potentially malicious or compromised updates.

Organizations are also advised to take proper care of products that have reached end-of-life (EoL) or which are being decommissioned, and to ensure that an effective training program is implemented for new products.

Furthermore, software customers are advised to pay attention to how a product is operated, to ensure that vulnerabilities and functionality changes are identified, that updates are applied in a timely manner, and that malicious software is eliminated before harming the organization.

Related: US Gov Issues Supply Chain Security Guidance for Software Suppliers

Related: US Gov Issues Guidance for Developers to Secure Software Supply Chain

Related: US Agencies Issue Guidance on Responding to DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.