On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) published the final part of its three-section series on securing the software supply chain.
The publication, which follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers, provides recommended practices for customers to ensure the integrity and security of software during the procuring and deployment phases.
The document was published in collaboration with the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI).
The new document describes various scenarios that threat actors could exploit. These include the fact that security requirements intended to counter threats are not domain specific or exclude organizational requirements and that gaps in the analysis of security requirements may lead to a mismatch of the solution or selected security controls.
“General security inadequacies may also prevail when a product isn’t properly protected, when a customer is associated with suspicious geolocation and metadata, or when a customer is suspected to be associated with foreign interests,” CISA wrote.
The agency provided a series of recommendations to help reduce vulnerabilities in the procurement and acquisition phase.
Among them are keeping security requirements and risk assessments up to date using business processes and requiring adequate protection and control of geolocation of all data and metadata.
Further, companies should assign individual roles to verify the domain-specific and organizational security requirements and coordinate risk profile definitions with mission and enterprise areas, among others.
“Software production is usually done by industry, so there will be industry forces that will resist wanting to produce software bills of materials (SBOMs),” said Sounil Yu, the chief information security officer at JupiterOne.
“Since both industry and government consume software, it is in the best interests of both industry and government to support sharing SBOMs. However, we’ll see less resistance within the government.”
CISA also said security requirements for all acquisitions should also be established. When acquiring software through spin-offs, external entities, or third-party suppliers, customers should implement continuous monitoring of the entire supply chain risk management (SCRM) calculation, as well as appropriate controls to mitigate changes to assumptions and security risks.
“Users of third-party products should maintain an accurate inventory with SBOM solutions to understand dependencies and risks,” commented Melissa Bischoping, director of endpoint security research at Tanium.
“While we hope to see more software providers offer clear and transparent documentation of dependencies and libraries, SBOM is a powerful tool that can provide critical insight when vulnerabilities emerge.”
Supply chain security guidelines have also been published by the National Cyber Security Centre (NCSC) in the UK last month.