Chris Wysopal is Chief Technology Officer at Veracode.
getty
The onslaught of cyberattacks in the U.S., such as the Colonial Pipeline and Microsoft hacks, demonstrates the systemic problem society faces as weaknesses in the digital world persist and increasingly impact the daily lives of society members. The issues that led to these attacks are not new, meaning the challenge the industry faces is how to act on them so that security practices keep up with technology advancements. It is all about addressing the supply chain of vulnerabilities coming through software integral to everyone’s daily lives.
Until business leaders make cybersecurity investment a priority, the industry will continue to be challenged. Leaders face a business and incentive problem, not a technology problem. In the wake of these cyberattacks, the Biden administration released an executive order on cybersecurity that includes new security requirements for software vendors selling software to the U.S. government. The executive order takes a bold step toward addressing this challenge by seeking to better protect government systems from a vulnerable software supply chain.
Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, addressed President Biden’s executive order at the RSA Conference in May 2021 suggesting: “The current model of build, sell, and maybe patch means that the products the federal government buys often have defects and vulnerabilities that developers are accepting as the norm with the expectation that they can patch later. Or perhaps they ship software with defects and vulnerabilities that they don’t think merit fixes. That’s not acceptable,” said Neuberger. “Security has to be a basic design consideration.”
Requirements in the order will drive vendors selling software to the federal government to comply with new standards, such as security testing in the development process and providing a bill of materials for open-source libraries in use. Without following these standards, companies will not be able to sell software to the federal government. As the implementation of these standards unfolds, the industry may see a domino effect on the broader market where private companies begin to adopt similar practices and guidelines.
And the time may not be far off. Eighty-six percent of The Washington Post’s Cybersecurity 202 network — a group of high-level digital security experts — agree (subscription required) that companies in critical industry sectors, such as agriculture and transportation, should be required by the government to meet minimum cybersecurity standards.
Just as there are minimum standards for fire safety because of limited shared resources to fight fires, and collateral damage is common, the cybersecurity industry needs minimum cyber requirements to protect each other from security breaches that impact the wider community. Requirements that have the potential to impact software vendors and fuel new regulations include:
Secure software in development: The order’s focus is meant to help drive security by design, ensuring the development of secure software from the start and reducing vulnerabilities — and thereby incidents — in production software.
Verify open-source software: Recognizing that most modern software is built on open-source code, vendors must verify the integrity of open-source code used in their applications.
Secure the development process: Expanding on assessing security in the development process, such as application security testing, the order also includes security of the development environment, layering in protections like two-factor authentication for developers signing into code repositories.
Label IoT and software security: The significance of security rating and labeling for all software and IoT devices suggests that this type of regulation may expand to the consumer market.
Collaborate for success: The order emphasizes the need for collaboration between both the public and private sectors, and between government agencies, to achieve better protection across the board. This is intended to protect the software supply chain and ultimately help to reduce the number of incidents that occur as a result of vulnerabilities left in production code.
Roughly a quarter of President Biden’s executive order is dedicated to software security. This is not surprising when you look at the root cause of major breaches — often it is a vulnerability in a software application. The stakes are higher when one factors in the growing reliance on open-source libraries for development code. Veracode’s 2021 findings revealed that almost 80% of the time, the open-source libraries used in software — often left to “set and forget” — are never updated, leaving many applications vulnerable.
The National Institute of Standards and Technology (NIST) outlined its definition of critical software and security measures for critical software in the last year. Since there is no silver bullet for software security, this level of specificity is important. Software security verification practices, such as threat modeling, automated testing, static and dynamic analysis, remediation of “must fix” bugs and secure coding techniques, will help vendors meet the recommended minimum standards for software testing outlined by NIST. These new standards will have a significant impact on how software creators build and test their code, even if they are not directly affected by the executive order yet.
Like others, I and my team will be closely following the development of these new regulations as NIST continues its review. As the executive order continues to take shape, I would encourage NIST to consider all aspects of what it takes to create secure software, including training developers and equipping them with the right knowledge on software security so they write more secure code from the outset. There should also be a focus on creating mechanisms that enable development and security teams to come together and build the right practices around software security.
Recent attacks have put the software supply chain in the spotlight. The executive order is a sign that the vulnerability of this supply chain will remain highly visible. Software is both critical and pervasive but also vulnerable if not built or assembled right. The executive order shines a light on the standardization, structure and security transparency issues we face as we become a digital society always building software.
It is only the first step in helping to protect the code that fuels the software that powers our business, civic and personal lives.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
