On September 15, NetSPI CTO Travis Hoyt was featured in The CyberWire article, White House Issues a Memorandum on Software Supply Chain Security. Read the preview below or view it online.
White House issues a memorandum on software supply chain security.
The White House yesterday issued guidance for Federal agencies’ use of software security practices. The memorandum instructs agencies to obtain a self-attestation from software providers that their products are in line with NIST’s security guidelines:
“Ensuring software integrity is key to protecting Federal systems from threats and vulnerabilities and reducing overall risk from cyber-attacks. The NIST Guidance provides ‘recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development.’ Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.”
Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said in a statement, “The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”
Industry experts were quick to comment on the new guidelines.
Travis Hoyt, CTO of NetSPI, sees implications not just for code, but for the environment in which code is developed:
“Today’s guidance from the Biden administration not only dictates the effort software developers must put into their code, but how they manage their own environments, as well. First, the introduction of a Software Bill of Materials (SBOM) is bound to have the greatest impact to security, but it also brings with it a learning curve as creating an SBOM may be a net new requirement for some firms. Additionally, the ubiquitous use of open source software means that developers leveraging these packages must pay greater attention to who is contributing to them and what is being incorporated into their products.
“Proactive penetration testing and source code review will prove critical to ensuring that given the changes, organizations are adhering to the latest guidance properly to better protect the software supply chain. Overall, this latest guidance is a step in the right direction for supply chain security, which has continued to plague the public and private sectors for far too long.
You can read the full article at The CyberWire!