Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

US Gov Issues Supply Chain Security Guidance for Software Suppliers

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the second part of a three-part joint guidance on securing the software supply chain.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the second part of a three-part joint guidance on securing the software supply chain.

Created by the Enduring Security Framework (ESF), a cross-sector working group seeking to mitigate the risks threatening the critical infrastructure and national security, the guidance provides recommendations for developers, suppliers, and organizations.

In September, the three US agencies released the first part of the series, which included recommendations for developers looking to improve the software supply chain’s security.

The second part of the series, Securing the Software Supply Chain: Recommended Practices Guide for Suppliers (PDF), contains information on the best practices and standards that software supplies should adopt to ensure software security from production through delivery.

The supplier, the three agencies note, is an intermediary between the developer and the customer (the organization buying the software) and is responsible for maintaining the integrity of the delivered software, for validating the software, for maintaining awareness on known vulnerabilities, and for accepting customer reports on any identified issues and notifying the developer.

“The objective of a secure software development and delivery system is to help safeguard software code, provenance, and integrity, thereby creating resilience to compromise of the software supply chain or preventing it entirely,” the document reads.

The guidance offers recommendations for a secure software development lifecycle (Secure SDLC) and is meant to be applicable to multiple scenarios, to ensure the secure delivery of software.

The agencies recommend defining the criteria used for performing software security checks. In addition, suppliers should ensure that code is protected from unauthorized access, that the integrity of software releases can be verified, that releases are archived and protected, that software meets security requirements, that third-party suppliers comply with security requirements, that software has security settings by default, and that executable code is tested, among others.

Advertisement. Scroll to continue reading.

“The supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities,” the NSA says.

Related: US Gov Issues Guidance for Developers to Secure Software Supply Chain

Related: US Agencies Issue Guidance on Responding to DDoS Attacks

Related: NSA Publishes Best Practices for Improving Network Defenses

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights