Last Updated on September 15, 2021
President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” will have sweeping impacts across both public and private sectors. In the wake of the devastating SolarWinds hack, Section 4 of the order, “Enhancing Software Supply Chain Security,” is intended to drive changes across the commercial software industry and will also affect software procurement at the federal level.
Section 4 mandates the collaborative development of guidelines for “enhancing software supply chain security” in line with a list of detailed requirements. Its focus is on understanding what assets you have, and then elevating the level of process management and reporting to ensure oversight and eliminate vulnerabilities. What is this likely to mean for those buying and selling software within the US federal ecosystem?
To address these kinds of critical questions around the Executive Order, a recent episode of The Virtual CISO Podcast features Scott Sarris, EVP of Digital Transformation and Cybersecurity Advisory Services at Aprio. The show’s host, John Verry, is Pivot Point Security’s CISO and Managing Partner.
Identifying SDLC security best practices
“Protecting the integrity of software is everything [given what] we’re doing now in cloud and software-defined,” observes Scott. “You better have good control over the repository and integrity of the software that you use, including downstream in the cloud.”
To that end, Section 4 raises a wide swath of issues, from the use of automation to maintain source code integrity to “attesting to conformity with secure software development practices” to the need for a “software bill of materials.”
“We’ve said for many years now that if you don’t know what you have, you can’t protect it,” Scott notes. “So, the software bill of materials I thought was fantastic.”
Do we need a new, specific standard?
Section 4 puts the onus on the National Institute of Standards and Technology (NIST) to either rationalize existing standards on software supply chain security, or develop its own framework—in short order. As John points out, the industry has already produced some valuable guidance, notably the OWASP Software Assurance Maturity Model.
“I would love to see a more expansive treatment from NIST or one of the others in this area,” suggests Scott. “Particularly, kind of the overlay of the DevOps model. As the model many organizations are adopting, how do we integrate security functions into the DevOps model to emulate or replicate the concept of segregated functions performed within the organization.”
The need for an updated SDLC governance model
“How do we get the level of governance there that we can be comfortable with, and that assures us that the right things are done at each stage of the development and integration to a platform that we would’ve been comfortable with 10 or 15 years ago?” asks Scott. “I think it is going to require a level of reporting and process management that probably would not have been necessary when it was all segregated into different groups [e.g., development, operations, testing].
“Infrastructure as software says, ‘Well, we can just pretty well do that without any oversight or directions, documentation, governance, and so on,’” adds Scott. “How do we get to a level of governance [where] sufficient oversight is provided for some of these changes when the DevOps cycle is performed by a single team?”
For an authoritative view of the Cyber Executive Order that you won’t find elsewhere, Listen to this podcast episode with Scott Sarris the way through: EP#58 – Scott Sarris – The Cybersecurity Executive Order: What You Need to Know – Pivot Point Security
Looking for some related content about the Cybersecurity Executive Order? Check out this post: The Cyber Executive Order: What is the “Tone from the Top”? – Pivot Point Security