Connect with us

Hi, what are you looking for?


Application Security

US Gov Issues Supply Chain Security Guidance for Software Suppliers

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the second part of a three-part joint guidance on securing the software supply chain.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the second part of a three-part joint guidance on securing the software supply chain.

Created by the Enduring Security Framework (ESF), a cross-sector working group seeking to mitigate the risks threatening the critical infrastructure and national security, the guidance provides recommendations for developers, suppliers, and organizations.

In September, the three US agencies released the first part of the series, which included recommendations for developers looking to improve the software supply chain’s security.

The second part of the series, Securing the Software Supply Chain: Recommended Practices Guide for Suppliers (PDF), contains information on the best practices and standards that software supplies should adopt to ensure software security from production through delivery.

The supplier, the three agencies note, is an intermediary between the developer and the customer (the organization buying the software) and is responsible for maintaining the integrity of the delivered software, for validating the software, for maintaining awareness on known vulnerabilities, and for accepting customer reports on any identified issues and notifying the developer.

“The objective of a secure software development and delivery system is to help safeguard software code, provenance, and integrity, thereby creating resilience to compromise of the software supply chain or preventing it entirely,” the document reads.

The guidance offers recommendations for a secure software development lifecycle (Secure SDLC) and is meant to be applicable to multiple scenarios, to ensure the secure delivery of software.

Advertisement. Scroll to continue reading.

The agencies recommend defining the criteria used for performing software security checks. In addition, suppliers should ensure that code is protected from unauthorized access, that the integrity of software releases can be verified, that releases are archived and protected, that software meets security requirements, that third-party suppliers comply with security requirements, that software has security settings by default, and that executable code is tested, among others.

“The supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities,” the NSA says.

Related: US Gov Issues Guidance for Developers to Secure Software Supply Chain

Related: US Agencies Issue Guidance on Responding to DDoS Attacks

Related: NSA Publishes Best Practices for Improving Network Defenses

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.