President Biden’s Executive Order Demands Cybersecurity for Software Supply Chains

Eran Orzel
Jun 23 · 5 min read
Biden's Executive Order demand cybersecurity for Software Supply Chain

The SolarWinds Attack Was the Industry’s Wakeup Call

The new wave of software supply chain attacks that targeted SolarWinds, Codecov, and hundreds of other companies is taking the world by storm. Attackers are taking advantage of the high complexity and low security within the modern software development process to expose and cause massive damage, not only to the attacked company, but to their thousands of customers.

In reaction to the SolarWinds attack, President Biden released an Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021, aimed at improving the Federal Government’s cybersecurity defense, and establishing a partnership with the private sector to do so. 

“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors…. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector.  The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.  In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.” 

The 7 Guidelines from The Cybersecurity Executive Order

Under the Executive Order, “prevention, detection, assessment, and remediation of cyber incidents” are defined as  a top priority and fundamental to national and economic security.  

The Executive order highlights the following areas:

  1. Removing Barriers to Sharing Threat Information between government agencies and the private sector, instructing and cooperating with vendors and service providers to support in detecting and responding to cyber threats and incidents.
  2. Modernizing Federal Government Cybersecurity. Adopting security best practices; advancing toward Zero Trust Architecture; accelerating movement to secure cloud services, centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks, and investing in both technology and personnel to match these modernization goals.
  3. Enhancing Software Supply Chain Security. Implementing more rigorous and predictable mechanisms to ensure that products function securely and as intended. Improving the security and integrity of the software supply chain, with a priority on addressing critical software.
  4. Establishing a Cybersecurity Safety Review Board to review and assess significant cyber incidents and recommend on improving cybersecurity and incident response practices. The SolarWinds hack will be the first incident to be reviewed.
  5. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents. Updating the government response processes to ensure a common understanding of cyber incidents and more coordinated and centralized incidents response activities that will improve the agencies’ successful responses.
  6. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.  Increasing the Federal Government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts.
  7. Improving the Federal Government’s Investigative and Remediation Capabilities.  Establishing event logging requirements to help detect breaches, stop breaches in progress, and determine the extent of a breach improving both investigation and remediation efforts.

Software Supply Chain Security is the Main Focus Area

Preventing software supply chain attacks is one of the key focus areas in the new Executive Order, as SolarWinds was one of the main drivers for it. According to the Executive Order:

“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.”

Under the executive order, within 180 days of the date of the order, the Director of NIST (National Institute of Standards and Technology) shall publish preliminary guidelines for enhancing supply chain security. Defining criteria for evaluating secure software development environments as well as identifying innovative tools or methods that demonstrate conformance with secure practices and additional set of guidelines will be published within the year.

Such guidance shall include the following standards and procedures:

  1. Securing software development environments – Taking actions such as minimizing dependencies, auditing trust relationships, establishing multi-factor authentication and conditional access, and continuously monitoring alerts and responding to cyber incidents. 
  2. Ensuring code integrity – Deploying automated tools and processes to maintain and safeguard the source code throughout the software supply chain process. 
  3. Ensuring open-source integrity – Ensuring and attesting to the integrity and origin of open-source components being utilized throughout the software development process. 
  4. Automating the detection and remediation of risks – Deploying automated tools and processes that continuously check and remediate known and unknown vulnerabilities within the software development process. 
  5. Maintaining accurate and up to date data – Making information of internal and third-party software components, tools, and services present in the software development process available, and being able to generate artifacts and reports demonstrating conformance with security standards and completion of process actions. 

Why should All Enterprises Care?

The supply chain security guidelines above provide a set of defined policies aiming to protect the software supply chain and ensure source code integrity; these are not only relevant for government entities, but really for all enterprises which deliver software to their end-users.  

Applying such measures will allow companies to gain visibility and control over their software development lifecycle, a standard that has become crucial in order to stop these sophisticated software supply chain attacks. By deploying the procedures above, enterprises can limit the risk and damage from supply chain attacks which threaten to impact not only them but also their customers, dramatically increasing the organization’s security posture.

The cybersecurity executive order will have a significant impact on software supply chain security, leveraging the federal procurement process to push the software industry to build more secure products and services. Although it might take time to achieve some of the executive order requirements, it will increase awareness and focus on measures that enhance product security and prevent supply chain attacks. 

How can Argon help?

It takes a purpose-built security solution that provides end-to-end visibility and is integrated as part of the CI/CD process to achieve real and meaningful protection against software supply chain attacks.  Argon’s first-to-market holistic security solution protects the integrity of the software development environments’ CI/CD pipelines, eliminating the risk from misconfigurations, vulnerabilities, and preventing major-scale software supply chain cyber-attacks. The Argon solution provides companies with unified visibility, security enforcement, and code integrity across the entire CI/CD pipeline, enabling DevOps and security teams to secure their entire software delivery process from commit to release. Argon enables companies to automatically and seamlessly adhere to the executive order on cybersecurity, without impacting or interfering with the speed and agility of their software development process.

#DevSecOps #solarwinds #CICDsecurity #softwaresupplychain #cyberattacks

Eran Orzel
Jun 23 · 5 min read

Related Articles

Securing your GitLab: Best Practices To Implement

What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…

Eylam Milner
Jul 14 · 4 min read

President Biden’s Executive Order Demands Cybersecurity for Software...

The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…

Eran Orzel
Jun 23 · 5 min read

The importance of having visibility over your pipeline’s plugins...

Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…

Eilon Elhadad
Jun 21 · 4 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner