NIST Delivers Two Key Publications to Enhance Software Supply Chain Security Called for by Executive Order
The National Institute of Standards and Technology (NIST) is acting quickly to fulfill its assignments to improve the Nation’s cybersecurity. Its moves are in line with the recent Presidential Executive Order 14028.
Just a month after defining Critical software, NIST has made significant strides towards enhancing the security of the software supply chain by publishing guides on:
These guides come after NIST’s intense consolation with Office Management and Budget (OMB), the Cybersecurity & Infrastructure Security Agency (CISA), the National Security Agency (NSA) as required under the executive order (EO). They are also based on substantial public input via a virtual workshop and call for papers.
This post seeks to help you understand what these guidelines mean for your business. (Recommendations are based on NIST best practices and NSA’s experience in data protection.)
Do these Guidelines Matter to My Business?
The referenced guidelines are significant to your business for several reasons.
One, open-source code is everywhere. It’s in community projects and proprietary codebases. Yet, the type and amount of open-source code you’re using have significant impacts on your cybersecurity.
Two, there are increasing cases of cyberattacks on businesses, leading to significant data losses and inconveniences. After all, it’s these ransomware attacks that inspired the executive order (EO). The NIST guidelines step in to provide preventive measures while recommending robust threat detection, documentation, and mitigation.
Three, as a small or midsize business, you’re often ill-equipped to tackle sophisticated cyberattacks. Thus, having a guide on your corner to help identify threats, determine their impact, discover causes, and restore normal operations promptly is essential.
Four, you cannot solely rely on your Managed Services Provider (MSP). As the recent Revil attacks indicate, MSPs are high-value targets thanks to their massive database. As Kevin Reed, CISO at Acronis; puts it:
“One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.”
It’s, therefore, vital to understand and follow NIST mitigation guidelines and report any ransomware attacks to the IC3.
NIST’s Mitigation Guidelines
As mentioned, NIST just provided an extensive list of security measures for your critical software and critical platforms – as outlined below.
To prevent unauthorized access:
- Use multi-factor authentication for administrators and users. Think of two-factor authentication that identifies and resists user-impersonification.)
- Uniquely identify and authenticate each service trying to access the software.
- Employ privileged access management principles like proxying & logging all administrative sessions to the platform
- Employ network isolation, segmentation, and other boundary protection techniques as needed. (The goal is to minimize direct access to the critical software.)
To protect the integrity, availability, or confidentiality of data:
- Establish and maintain a data inventory
- Enforce the principle of least privilege (to access the software) to the extent possible
- Encrypt sensitive data as per NIST’s cryptographic standards
- Encrypt sensitive data communications too
- Employ manual authentication for data in transit
- Backup the data (and restore it as needed)
To identify and maintain the EO-critical software from exploitation:
- Establish and maintain an inventory of your platforms and the software deployed in them
- Identify, record, and mitigate all identified vulnerabilities promptly.
- Identify, implement, and control the “right” hardened security configuration for your critical software/platform.
To quickly detect, deal with, and recover from cyber threats:
- Set the software loggings to record any necessary security events
- Monitor the security of your software and platforms continuously
- Employ endpoint security protection
- Employ network security protection (to track any network traffic to and from your software/platforms)
To strengthen the performance of human’s actions that ensure the security of your platforms/software:
- Train your personnel on relevant security measures for the software supply chain
- Conduct frequent awareness programs to reinforce the training
- Measure the effectiveness of the training offered for continuous improvement purposes
Besides the security measures, NIST also published a guide detailing the minimum standards for software testing. The goal is to ensure the “right” code is developed for essential features of the software. (At an enterprise scale, this entails many features, applications, and developers.)
To ensure the critical software performs as intended and is adequately free from vulnerabilities:
- Use automated testing for software analysis.
- Use a code scanner to look for fatal vulnerabilities.
- Use relevant tools to identify hardcoded secrets and sections of the software code that may require a manual review.
- Run the critical software with built-in tests/checks and protections
- Catalog test cases in terms of input boundary analysis, specifications, threat modeling, etc.
- Run a fuzzer or web application scanner for web services software
- Correct the must-fix vulnerabilities
- Review test cases for improvement purposes
- Use similar tests and techniques to ensure the included libraries, services, and packages are as secure as the code.
But even with the best guidelines in the world, it pays to understand what’s in your software supply chain.
What’s a Software Supply Chain?
A software supply chain is like the traditional chain of processes employed to supply commodities, from conception to customer. In the software chain, however, the raw material is the code. The manufacturer is the developer. And the supplier is the commercial or open-source code vendor.
While we are often familiar with the downstream side of the chain, the upstream is rather peculiar. Think of the marketing, sales, and retailing processes. What will the software integrate with before reaching the end-user?
The situation is tricky in cases of open-source codes, thanks to their dependencies and vulnerabilities.
Dependencies
Dependencies refer to what your critical software needs to run. Think of binaries, codes, and other components. In the supply chain, the dependencies expand to include the parent software running the infrastructure
that drives your applications and the build and packaging scripts.
These dependencies, their properties, and their source significantly affect your cybersecurity.
So it pays to know:
- Who wrote the code
- When was the code contributed
- How was the code reviewed and tested for security issues?
- Any identified vulnerabilities, license information, and supported versions?
Vulnerabilities
Given the pervasive nature of software dependencies, it’s common for you to use multiple open-source dependencies for different functionalities – without having to write the code yourself.
Unfortunately, it’s hard to control such dependencies, which creates risks for you. If one of the codes has a bug, you likely have the bug too. Your software supply chain has multiple entry points for mistakes, unpatched vulnerabilities, and malicious attacks.
Secure Your Business’ Software Supply Chain with Best Practices
Software supply chains are intricate. They depend on every resource, step, agreement, and partnership in place to get the “product” to you (the customer.) With the inclusion of many developers, features, and applications, your business is prone to cyberattacks from a myriad of sources.
That explains why you shouldn’t wait to deploy NIST-recommended security measures. Get in touch with NSA for prompt clarifications and fast deployment of software supply chain security best practices.