Just yesterday, November 9, new guidance was released by CISA, the NSA, and other partners relating to securing the software supply chain. It is important because it provides software developers and suppliers with best practices for maintaining and providing awareness about the security of software. The guidance, issued in a 32-page document on defense.gov, is intended to help organizations of all sizes improve the security of their software supply chain.
The new guidance covers a wide range of topics, including:
- How to identify and mitigate risks in the software supply chain
- How to implement security controls
- How to respond to incidents
Key Takeaways on Securing the Software Supply Chain
- Software developers and suppliers should have a process in place to identify and mitigate risks in the software supply chain. This process should include identifying the components that are used in the software, assessing the risks associated with those components, and implementing controls to mitigate those risks.
- Software developers and suppliers should implement security controls throughout the software development lifecycle. This includes implementing controls to secure the development environment, the software development process, and the software itself.
- Software developers and suppliers should have a plan in place to respond to incidents. This plan should include steps for identifying, containing, and eradicating incidents.
Further, the document outlines some best practices for software developers and suppliers to follow:
- Identify and mitigate risks in the software supply chain.
- Implement security controls throughout the software development lifecycle.
- Have a plan in place to respond to incidents.
Guidance on Software Bill of Materials (SBOMs)
The online document also provides guidance on how to consume Software Bill of Materials (SBOMs). This is useful for identifying changes in the SBOM, such as new or updated components. Organizations can use this information to assess the risks associated with these changes. It discusses the security risks associated with the origins of SBOMs, how to operationalize and scale the use of SBOMs, and how to use SBOM risk scoring to simplify raw SBOM data. It suggests that SBOM consumption will become increasingly automated and scalable in the future.
These recommendations include:
- Baseline component information: Organizations should collect baseline component information, such as product version number, dependency identifier, and SBOM author. This information can be used to identify the baseline attributes of a particular component.
- Acceptance/validation: Organizations should have a process in place to accept and validate SBOMs. This process should ensure that the SBOM is complete, accurate, and trustworthy.
- SBOM ingestion and management for enterprise: Organizations should use automated tools to ingest and manage SBOMs. This will help to scale the SBOM consumption process.
- Intrinsic value of having an SBOM: Organizations should understand the intrinsic value of having an SBOM. SBOMs can be used to improve software asset management, patch management, vulnerability management, licensing compliance, and technical debt management for an organization.
- Known vulnerabilities: This recommendation is important because it allows organizations to identify and prioritize remediation efforts. Organizations should use SBOMs to identify known vulnerabilities in their software.
- Query/reporting: Organizations should develop query and reporting capabilities to analyze SBOM data. This will help organizations to identify and manage risks.
Learn more about our modern solutions
With world-class technology, unmatched customer service, and decades of experience,
we deliver modern and creative technology-based solutions.
To learn more about these changes, head on over to cisa.gov’s official announcement on the changes. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations. You can further view the 32-page document yourself on their website, or by clicking here.
Still need help? Get in touch with us and we can dive into the changes with you further.