The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the second part of a three-part joint guidance on securing the software supply chain.
Created by the Enduring Security Framework (ESF), a cross-sector working group seeking to mitigate the risks threatening the critical infrastructure and national security, the guidance provides recommendations for developers, suppliers, and organizations.
In September, the three US agencies released the first part of the series, which included recommendations for developers looking to improve the software supply chain’s security.
The second part of the series, Securing the Software Supply Chain: Recommended Practices Guide for Suppliers (PDF), contains information on the best practices and standards that software supplies should adopt to ensure software security from production through delivery.
The supplier, the three agencies note, is an intermediary between the developer and the customer (the organization buying the software) and is responsible for maintaining the integrity of the delivered software, for validating the software, for maintaining awareness on known vulnerabilities, and for accepting customer reports on any identified issues and notifying the developer.
“The objective of a secure software development and delivery system is to help safeguard software code, provenance, and integrity, thereby creating resilience to compromise of the software supply chain or preventing it entirely,” the document reads.
The guidance offers recommendations for a secure software development lifecycle (Secure SDLC) and is meant to be applicable to multiple scenarios, to ensure the secure delivery of software.
The agencies recommend defining the criteria used for performing software security checks. In addition, suppliers should ensure that code is protected from unauthorized access, that the integrity of software releases can be verified, that releases are archived and protected, that software meets security requirements, that third-party suppliers comply with security requirements, that software has security settings by default, and that executable code is tested, among others.
“The supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities,” the NSA says.