New Software Security Requirements: What Has Changed?
Over the past several years, there has been a growing concern about software security in the wake of high-profile security incidents like the SolarWinds breach and the Log4j vulnerability. In response to these incidents, the US government has introduced new requirements for organizations that sell software to government agencies.
In May 2021, the White House issued Executive Order 14028, which aimed to improve the nation’s cybersecurity. This executive order set in motion a series of actions that have led to clear requirements impacting software suppliers to the US government. One of the key requirements is that organizations must self-attest that their software conforms to the secure software development practices outlined by the government in the NIST Secure Software Development Framework.
It is important to understand that these requirements go beyond just the code that organizations write themselves. Organizations must also attest that the open source components they use in their applications follow these secure software development practices. This means that organizations will need to ensure not only their own compliance but also the compliance of the open source maintainers whose code they rely on.
In June, the government reaffirmed these requirements in OMB memorandum M-23-16, setting deadlines for compliance that are approaching quickly. It is expected that compliance with the requirements for critical software will be required by the fourth quarter of this year, and compliance for all other software will be required by the first quarter of next year.
Noncompliance with these requirements is not taken lightly by the government. The memorandum states that federal agencies must discontinue the use of software if the producer’s documentation is deemed unsatisfactory or if the agency is unable to confirm compliance with the secure software development practices.
Particularly Challenging Case of Open Source
One of the most challenging aspects of these new requirements is the attestation of security practices for open source components. Modern software often includes a significant amount of open source code, making up the majority of the code base in many cases. However, ensuring the secure practices of open source maintainers is a complex and difficult task.
Open source maintainers are often unpaid volunteers who contribute to open source projects as a hobby or in their spare time. Asking them to validate their security practices in line with the NIST SSDF standards is impractical. This poses a significant challenge for organizations that rely on open source components in their software.
One possible solution is to avoid using open source components altogether. However, this is increasingly nonviable as open source has become the de facto development platform for many organizations.
Another approach is to ensure that the open source maintainers are being paid for their work on security. This may require extra research to identify open source components with maintainers who are paid by corporate benefactors, foundations, or commercial efforts to validate their packages’ compliance with security standards. Organizations can also consider becoming corporate sponsors of open source maintainers to support their important security work.
It’s important to note that most modern applications have thousands of open source dependencies, each maintained by different individuals or teams. Scaling the approach of ensuring paid maintainers for all these dependencies requires considerable manual effort.
A Challenging but Necessary Step Forward
While these new requirements may be challenging and time-consuming to comply with, they are necessary steps forward in improving software security. With increasing security vulnerabilities posing significant risks to both the public and private sectors, it is crucial to prioritize and promote secure software development practices.
The US government, as the largest buyer of goods and services, including IT, in the world, has the power to influence and improve the overall security standards for software. By leveraging its purchasing power, the government is taking steps to ensure a safer and more secure future for all.
Keywords:
Security, Marketplace, Software, Sales, US Government, Open Source, Compliance, NIST SSDF, Executive Order 14028, OMB memorandum M-23-16
<< photo by Ian Turnell >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- “The Quiet Threat: Unmasking the Vulnerability of Laptop Keystrokes”
- The Growing Threat of SkidMap Redis Malware and Its Targeting of Vulnerable Servers
- Unraveling the Aftermath: Decrypting the Colorado Department of Higher Education’s Data Breach
- A Focus on Cybersecurity: US Government Implements National Strategy for Workforce and Education
- US Government Targets Cytrox and Intellexa in Crackdown on Mercenary Spyware
- Chinese Cyber Espionage: Unmasking the US Government Email Breach
- The Biden Administration’s Cybersecurity Vision: Analyzing CISA’s Strategic Plan
- The Rise of UEFI Attacks: CISA Sounds the Alarm on Critical Vulnerabilities
- The Dark Web: A Growing Menace that Demands Continuous Monitoring
- Cybersecurity in the Modern Era: Revolutionizing Organizational Protection
- Unveiling the Critical Flaw: Exploiting PaperCut Software’s Latest Vulnerability
