NSA, CISA release compendium of security practices for software developers
Several agencies released a compendium of suggested practices for software developers Thursday to ensure greater supply chain security.
The National Security Agency, Cybersecurity and Infrastructure Security Agency, and Office of the Director of National Intelligence worked with industry to consolidate the recommendations for planning software security requirements, designing secure architectures, adding security features, and conducting source code review and testing.
Recent nation-state-led cyberattacks like the one on SolarWinds, which compromised its agency customers, and exploits taking advantage of software vulnerabilities like Log4j prompted the Enduring Security Framework — a cross-sector working group concerned with high-priority cyber threats to national critical infrastructure — to issue the guide.
“The developer holds a critical responsibility to the security of our software,” reads NSA’s statement. “As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer.”
Suggested practices align with the Secure Software Development Framework, a conceptual document encouraging proof of security compliance using artifacts, and address insider threats, compromised remote development systems, vulnerability scanning, hardening the build environment, and verifying third-party components.
The guide recommends agencies also use it to assess the acquisition, deployment and operational phases of the software supply chain. Meanwhile suppliers can refer to the guide to assist vendors and agencies with secure software contracting, releases and updates, notifications, and vulnerability mitigations.
“Security is not just for the developer, which is why ESF will also release editions of this guidance for the supplier and the customer of software,” reads NSA’s statement. “We all have to do our part to secure our networks.”