The White House published a memo requiring agencies to comply with guidance from the Office of Management and Budget (OMB) which aims to improve software supply chain integrity and security.
Signed by OMB Director Shalanda Young, the memo builds on Executive Order (EO) 14028, Improving the Nationâs Cybersecurity from May 2021, which is focused on the security and integrity of the software supply chain.
That EO emphasized the importance of secure software development environments and directed the National Institute of Standards and Technology (NIST) to issue guidance identifying practices that enhance the security of the software supply chain.
The recent memo, published on September 14, requires each federal agency to comply with the NIST guidance when using third-party software on the agencyâs information systems or otherwise affecting the agencyâs information.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, said it is heartening to see the memo establish a desire for consistency in the process by which they obtain self-attestations from suppliers.
âSuch consistency and any eventually-centralized repository should help minimize the burden suppliers have in complying with the requirements of this memo,â he explained. âThis is the first point where we have a directive for agencies to comply with guidance emerging from EO 14028.â
Software Supply Chain Security: A Challenging Space
Mackey said the single most important thing to realize is that software security is a problem space and that there is no silver bullet.
âNo single action will prevent the next ransomware attack and the execution of tools doesnât inherently fix vulnerabilities,â he said. âThis is a highly technical space that is rather complex and nuanced. Well-intentioned humans will always make some mistakes and perfection isnât attainable.â
That means the IT security industry needs to accept that software will always have weaknesses that can be exploited in certain circumstances.
âThe moment you combine software into a supply chain, the potential for weaknesses increases and the potential for the authors of components within the supply chain to know the circumstances of how their software is used goes down,â Mackey said.
Rick Holland, CISO and vice president of strategy at Digital Shadows, a provider of digital risk protection solutions, said from his perspective, the White Houseâs EO on improving the nationâs cybersecurity was a step in the right direction.
He said the OMB guidance is another good step; however, he added that this is a very long journey that will be measured not in months, but in years and, possibly, decades.
âThe guidance focuses on vendor self-attestations and not independent validation,â he pointed out. âA government software supplier could claim to comply with NIST standards, but without third-party confirmation, the agency wonât know for sure. Zero-trust principles should apply here, too; donât trust that a supplier is compliantâconfirm it.â
He argued that the biggest threat to supply chain security is the complexity in defending against supply chain threats.
âPoint-in-time security questionnaires are a legal requirement, not a preventive control. The number of third-party providers can be staggering, with security teams having to assess hundreds of providers,â he said.
Holland pointed out that security teams often donât know the sensitive data their suppliers can access or the attack paths coming from their partners.
âAdversaries often do a better job of data discovery than defenders,â he added.
A Plan For Moving Forward
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, said the idea behind the governmentâs plan is good and the NIST guidelines are solid.
âWhat remains to be seen is how vendors will implement the guidance and whether it is enough to deal with a very dynamic threat space,â he added.
He said while zero-day vulnerabilities still get the biggest headlines, the fact remains that users represent the broadest threat surface.
âPhishing, social engineering and other attacks against personnel remain consistent threat vectors and will almost certainly remain so,â he explained. âHaving the most secure application code and supply chain wonât help when users are still giving up their passwords.â
Parkin said by requiring third-party vendors to adhere to the NIST standards, they can encourage them to develop software that is more secure and more robustâbut that only really applies to vendors that want to work in the government space.
âThey canât necessarily push those standards on the public sector,â he noted. âAnd without a robust testing scheme to assure that when a vendor says âWe complyâ, that they actually do, some risks will remain.â
Mackey said mitigating software supply chain threats requires an understanding of the risk such threats pose to both the production of software and its associated operation and communicating the nature of those risks from producers to operators.
Properly managing software supply risk requires teams to move from a paradigm where tools are run and teams âdo securityâ to one where the impact of findings from tools are understood and mitigations are made based on the context of how the given application runs.
âSolving this problem requires teams to think in terms of risk analysis first and then identify which tooling is best positioned to provide data supporting the analysis,â he explained.
Parkin added that threat actors have always adapted to the defenses put in place to stop them, and itâs difficult to say what technique theyâll shift to next.
âThey will continue to look for vulnerabilities in the software, and they will continue to go after the users using whatever technique they find works,â he warned.