The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) today released advice on how to protect the software supply chain.
This guide is designed by the Enduring Security Framework (ESF), a public-private partnership working to address threats to US critical infrastructure and national security systems, to serve as a collection of suggested practices for software developers.
“Securing the Software Supply Chain for Developers was created to help developers achieve security through recommendations evaluated by industry and government,” the Defense Department’s intelligence agency said.
“Developers will find helpful guidance from the NSA and partners on developing secure code, verifying third-party components, hardening the build environment, and delivering code. Until all DevOps is DevSecOps, the lifecycle of software development will be at risk.
The ESF will publish two more advisories to coincide with the software supply chain lifecycle, and the other two parts of this series will focus on software vendors and customers.
You can find detailed information on how to develop secure code, verify third-party components, harden build environments, and deliver code securely in today’s advisory. [PDF].
The guidance was released after recent high-profile cyberattacks, such as the SolarWinds hack, highlighted weaknesses in the software supply chain that are easily exploited by nation-state-backed threat groups.
Following the snowball effect of the SolarWinds supply chain attack that led to the compromise of multiple US government agencies after FireEye disclosed that its network was breached in December 2020, President Biden signed an order executive order in May 2021 to modernize the country’s defenses against cyberattacks.
The White House launched a new federal strategy in January, pushing the US government to adopt a “zero trust” security model. This was prompted by the Biden executive order and the NSA and Microsoft recommended this approach in February 2021 for large enterprises and critical networks (Homeland Security Systems, Department of Defense, Defense Industrial Base).
In May, the US National Institute of Standards and Technology (NIST) also released updated guidance on how companies can better defend against supply chain attacks.
An October 2021 Microsoft report also revealed that the Russian-backed Nobelium threat group continued to target global IT supply after hacking into SolarWinds, attacking 140 managed service providers (MSPs) and cloud service providers and breaching at least 14 since May 2021.
Microsoft’s findings demonstrated that the software supply chain had become an increasingly popular target for threat actors, allowing them to compromise a single product and impact numerous companies that use it.
The danger behind supply chain attacks has also become apparent in real-world scenarios multiple times since Russian threat actors compromised SolarWinds to infect their downstream clients, including Kaseya MSP software used to encrypt the systems of over a thousand companies around the world and how npm modules have been used to execute remote commands.
Source: www.bleepingcomputer.com