Jun 23 · 5 min read
The new wave of software supply chain attacks that targeted SolarWinds, Codecov, and hundreds of other companies is taking the world by storm. Attackers are taking advantage of the high complexity and low security within the modern software development process to expose and cause massive damage, not only to the attacked company, but to their thousands of customers.
In reaction to the SolarWinds attack, President Biden released an Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021, aimed at improving the Federal Government’s cybersecurity defense, and establishing a partnership with the private sector to do so.
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors…. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
Under the Executive Order, “prevention, detection, assessment, and remediation of cyber incidents” are defined as a top priority and fundamental to national and economic security.
The Executive order highlights the following areas:
Preventing software supply chain attacks is one of the key focus areas in the new Executive Order, as SolarWinds was one of the main drivers for it. According to the Executive Order:
“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.”
Under the executive order, within 180 days of the date of the order, the Director of NIST (National Institute of Standards and Technology) shall publish preliminary guidelines for enhancing supply chain security. Defining criteria for evaluating secure software development environments as well as identifying innovative tools or methods that demonstrate conformance with secure practices and additional set of guidelines will be published within the year.
Such guidance shall include the following standards and procedures:
The supply chain security guidelines above provide a set of defined policies aiming to protect the software supply chain and ensure source code integrity; these are not only relevant for government entities, but really for all enterprises which deliver software to their end-users.
Applying such measures will allow companies to gain visibility and control over their software development lifecycle, a standard that has become crucial in order to stop these sophisticated software supply chain attacks. By deploying the procedures above, enterprises can limit the risk and damage from supply chain attacks which threaten to impact not only them but also their customers, dramatically increasing the organization’s security posture.
The cybersecurity executive order will have a significant impact on software supply chain security, leveraging the federal procurement process to push the software industry to build more secure products and services. Although it might take time to achieve some of the executive order requirements, it will increase awareness and focus on measures that enhance product security and prevent supply chain attacks.
It takes a purpose-built security solution that provides end-to-end visibility and is integrated as part of the CI/CD process to achieve real and meaningful protection against software supply chain attacks. Argon’s first-to-market holistic security solution protects the integrity of the software development environments’ CI/CD pipelines, eliminating the risk from misconfigurations, vulnerabilities, and preventing major-scale software supply chain cyber-attacks. The Argon solution provides companies with unified visibility, security enforcement, and code integrity across the entire CI/CD pipeline, enabling DevOps and security teams to secure their entire software delivery process from commit to release. Argon enables companies to automatically and seamlessly adhere to the executive order on cybersecurity, without impacting or interfering with the speed and agility of their software development process.
#DevSecOps #solarwinds #CICDsecurity #softwaresupplychain #cyberattacks
What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…
The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…
Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…