Home SecurityApplication Security U.S. government issues guidance for developers to secure the software supply chain: Key takeaways

U.S. government issues guidance for developers to secure the software supply chain: Key takeaways

Source Link

Software supply chain attacks are on the rise, as cited in the Cloud Native Computing Foundation’s (CNCF’s) Catalog of Supply Chain Compromises. Industry leaders such as the Google, Linux Foundation, OpenSSF, and public sector organizations such as NIST have provide guidance on the topic over the past year or so.

The U.S. National Security Agency (NSA) alongside the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) now join that list with their publication Securing the Software Supply Chain: Recommended Practices Guide for Developers. The announcement of the publication emphasizes the role developers play in creating secure software and states the guide strives to help developers adopt government and industry recommendations on doing so. Subsequent releases from Enduring Security Framework (ESF) will focus on the supplier and the software consumer, given the unique role each plays in the broader software supply chain and its resilience.

At a high-level the document is organized into three parts:

  • Part 1: security guidance for software developers
  • Part 2: software supplier considerations
  • Part 3: software customer recommendations

The role of developers, software suppliers and customers

The guidance notes the unique role developers, suppliers and customers play in the broader software supply chain ecosystem.

hughes secure sw supply chain 1 U.S. Department of Defense

Software Supply Chain Group Relationships and Activities

Software providers and their development teams may end up in the dichotomy of speed to market, versus secure and resilient software or software-enabled products.

As noted in the image above, each of the three roles has respective security activities it can and should be doing. These activities span the gamut from initial secure software development, composition and architecture all the way through security acceptance testing and integrity validation on the customers’ end.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment