On September 1, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) released Securing the Software Supply Chain for Developers. The product is through the Enduring Security Framework (ESF) — a public-private cross-sector working group led by NSA and CISA that provides cybersecurity guidance addressing high priority threats to the nation’s critical infrastructure.
The developer holds a critical responsibility to the security of our software. As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer. Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations. This guidance consolidates valuable resources already published for developers to put to use.
As the cyber threat continues to become more sophisticated, adversaries have begun to attack the software supply chain, rather than rely on publicly know vulnerabilities. This supply chain compromise allows malicious actors to move throughout networks seemingly undetected. In order to counter this threat, the cybersecurity community needs to focus on securing the software development lifecycle.
Developers will find helpful guidance from NSA and partners on developing secure code, verifying third party components, hardening the build environment, and delivering the code. Until all DevOps are DevSecOps, the software development lifecycle will be at risk.
Source: NSA
Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.
By Loren Blinde
September 2, 2022
