The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released tips today on securing the software supply chain.
This guidance is designed by the Enduring Security Framework (ESF)—a public-private partnership that works to address threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers.
“Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations,” the Department of Defense’s intelligence agency said.
“Developers will find helpful guidance from NSA and partners on developing secure code, verifying third party components, hardening the build environment, and delivering the code. Until all DevOps are DevSecOps, the software development lifecycle will be at risk.”
The ESF will release two more advisories coinciding with the software supply chain lifecycle, with the other two parts in this series focusing on software suppliers and customers.
You can find detailed information on how to develop secure code, verify third-party components, harden build environments, and deliver code securely in today’s advisory [PDF].
The guidance has been released after recent high-profile cyber attacks like the SolarWinds hack have highlighted weaknesses in the software supply chain that nation-state-backed threat groups can easily exploit.
Following the snowball effect of the SolarWinds supply-chain attack that led to the compromise of multiple U.S. govt agencies after FireEye revealed its network was breached in December 2020, President Biden signed an executive order in May 2021 to modernize the country’s defenses against cyberattacks.
The White House released a new Federal strategy in January, pushing the U.S. government to adopt a “zero trust” security model. This was prompted by Biden’s executive order and the NSA and Microsoft recommending this approach in February 2021 for large enterprises and critical networks (National Security Systems, Department of Defense, Defense Industrial Base).
In May, the U.S. National Institute of Standards and Technology (NIST) also released updated guidance on how enterprises can better defend themselves from supply-chain attacks.
A Microsoft report from October 2021 also revealed that the Russian-backed Nobelium threat group kept targeting the global I.T. supply after hacking SolarWinds, attacking 140 managed service providers (MSPs) and cloud service providers and breaching at least 14 since May 2021.
Microsoft’s findings demonstrated the software supply chain had become an increasingly popular target for threat actors since it allows them to compromise a single product and impact numerous downstream companies that use it.
The danger behind supply-chain attacks was also made evident in real-world scenarios multiple times since Russian threat actors compromised SolarWinds to infect its downstream customers, including by Kaseya’s MSP software which was used to encrypt the systems of over a thousand companies worldwide and by how npm modules have been used to execute remote commands.