A Look Back at the Executive Order on Cybersecurity

It has officially been one year since the release of the Biden administration’s Executive Order on Cybersecurity, which outlines security requirements for software vendors selling software to the US government. These requirements include security testing in the development process and a software bill of materials for the open-source libraries in use so that known vulnerabilities are disclosed and able to be tracked in the future, among other things.

The Executive Order – put into motion following the cyberattacks on government agencies through software from SolarWinds and Microsoft – calls on the US Department of Commerce’s National Institute of Standards and Technology (NIST) to establish the security initiatives necessary to meet the requirements in a given timeframe.

As we’ve seen over the past twelve months, NIST has met most of the timelines. So far, NIST has:

NIST still needs to:

  • Issue additional information about its software supply chain guidance plans, including review and update procedures
  • Provide the President with a report that reviews the progress made and additional steps needed to secure the software supply chain
  • Submit a summary of what improvements can be made going forward

To commemorate the one-year anniversary, we interviewed our CTO and Co-Founder, Chris Wysopal, to get his take on how the Executive Order is going so far and what he envisions for the future.

One of the most important developments to come out of the Executive Order is “the updates to the Secure Software Development Framework”

When we asked Chris what he considers to be the most important aspect of the Executive Order, he quickly responded, “the updates to the Secure Software Development Framework (SSDF).” The updates to the SSDF, published by NIST and based on feedback solicited from the software security community, explicitly address secure software development practices in detail, mapping specific requirements from the EO into a practical tool that organizations can use to help ensure compliance. It’s no longer just “recommendations” or “good stuff to do.” There are now “concrete mappings in place” telling suppliers of the federal government exactly what they need to do to be compliant with the Executive Order.

“The next phase is actually putting things into motion”

“Now that guidelines and requirements have been established, the next phase is actually putting things into motion,” says Chris. “We can expect to see updated contracts and specific, detailed requests from federal agencies to vendors for everything from secure development environments to all digital components and their dependencies in their software. Recent attention on a software bill of materials (SBOM), or providing a certified ‘list of application ingredients,’ will be a necessary requirement for suppliers providing software to the US government. “

AppSec vendors have already started to make adjustments to help out suppliers. For example, you can now generate an SBOM with Veracode Software Composition Analysis. Veracode’s SBOM API response provides an inventory of the components within an application, including insight into the relationships that the various components have with each other and identifying which components are coming from third-party sources that make up the software supply chain. The SBOM API returns a response with the SBOM in CycloneDX JSON format, which is one of the approved formats for compliance with the US Executive Order.

“The drivers that initially propelled the issuance of the Executive Order last year have only intensified”

“The drivers that initially propelled the issuance of the Executive Order last year – SolarWinds and Microsoft Exchange – intensified after the recent Log4j vulnerability which impacted the majority of Java users,” said Chris.

Veracode data showed that 95 percent of our customers with over 100 applications use Java, and 88 percent use some version of Log4j. Of that 88 percent, 58 percent use a vulnerable version of Log4j. Customers with software composition analysis (SCA) were able to quickly find and fix the vulnerability before an exploit. Customers without SCA hopefully viewed this as a wake-up call because, as we’ve seen from data in Veracode’s State of Software Security: Open-Source Editionthere is still a long way to go in getting organizations to adopt third-party scanning tools.

Our recent open-source SOSS report found that nearly 80 percent of the time, developers never update third-party libraries once they’ve been built into a codebase. The worst part is that 92 percent of flaws in third-party libraries can be fixed with an update. Once we start enforcing the Executive Order, the number of vulnerabilities in software provided to the US government should drop significantly.

“Software security is no longer a ‘nice to have;’ it’s a federal requirement ”

Chris explained that “As a result of the Executive Order, software security is no longer a ‘nice to have;’ it’s a federal requirement. Much in the same way seatbelts became federally mandated in cars, all organizations will eventually implement these practices and adhere to the standards for improved software safety and security for all citizens. ”

In other words, all software vendors should be paying attention to the Executive Order, not just those who provide software to the US federal government, because the EO will eventually trickle down to the private sector.

Whether you supply software to the US government or not, you should start taking a serious look at your application security program. Make sure you have testing tools in place for the entire software development lifecycle – ideally automated and integrated into your developer’s existing tools and processes. Stay on top of your open-source risk with a software composition analysis tool and SBOMs. Lastly, if you’re not already doing so, train your developers in secure coding.

Software security requirements are here to stay. Find an AppSec vendor committed to helping you comply with the requirements and stay up to date on the Executive Order.

Source

It has officially been one year since the release of the Biden administration’s Executive Order on Cybersecurity, which outlines security requirements for software vendors selling software to the US government. These requirements include security testing in the development process and a software bill of materials for the open-source libraries in use so that known vulnerabilities are disclosed and able to be tracked in the future, among other things.

The Executive Order – put into motion following the cyberattacks on government agencies through software from SolarWinds and Microsoft – calls on the US Department of Commerce’s National Institute of Standards and Technology (NIST) to establish the security initiatives necessary to meet the requirements in a given timeframe.

As we’ve seen over the past twelve months, NIST has met most of the timelines. So far, NIST has:

NIST still needs to:

  • Issue additional information about its software supply chain guidance plans, including review and update procedures
  • Provide the President with a report that reviews the progress made and additional steps needed to secure the software supply chain
  • Submit a summary of what improvements can be made going forward

To commemorate the one-year anniversary, we interviewed our CTO and Co-Founder, Chris Wysopal, to get his take on how the Executive Order is going so far and what he envisions for the future.

One of the most important developments to come out of the Executive Order is “the updates to the Secure Software Development Framework”

When we asked Chris what he considers to be the most important aspect of the Executive Order, he quickly responded, “the updates to the Secure Software Development Framework (SSDF).” The updates to the SSDF, published by NIST and based on feedback solicited from the software security community, explicitly address secure software development practices in detail, mapping specific requirements from the EO into a practical tool that organizations can use to help ensure compliance. It’s no longer just “recommendations” or “good stuff to do.” There are now “concrete mappings in place” telling suppliers of the federal government exactly what they need to do to be compliant with the Executive Order.

“The next phase is actually putting things into motion”

“Now that guidelines and requirements have been established, the next phase is actually putting things into motion,” says Chris. “We can expect to see updated contracts and specific, detailed requests from federal agencies to vendors for everything from secure development environments to all digital components and their dependencies in their software. Recent attention on a software bill of materials (SBOM), or providing a certified ‘list of application ingredients,’ will be a necessary requirement for suppliers providing software to the US government. “

AppSec vendors have already started to make adjustments to help out suppliers. For example, you can now generate an SBOM with Veracode Software Composition Analysis. Veracode’s SBOM API response provides an inventory of the components within an application, including insight into the relationships that the various components have with each other and identifying which components are coming from third-party sources that make up the software supply chain. The SBOM API returns a response with the SBOM in CycloneDX JSON format, which is one of the approved formats for compliance with the US Executive Order.

“The drivers that initially propelled the issuance of the Executive Order last year have only intensified”

“The drivers that initially propelled the issuance of the Executive Order last year – SolarWinds and Microsoft Exchange – intensified after the recent Log4j vulnerability which impacted the majority of Java users,” said Chris.

Veracode data showed that 95 percent of our customers with over 100 applications use Java, and 88 percent use some version of Log4j. Of that 88 percent, 58 percent use a vulnerable version of Log4j. Customers with software composition analysis (SCA) were able to quickly find and fix the vulnerability before an exploit. Customers without SCA hopefully viewed this as a wake-up call because, as we’ve seen from data in Veracode’s State of Software Security: Open-Source Editionthere is still a long way to go in getting organizations to adopt third-party scanning tools.

Our recent open-source SOSS report found that nearly 80 percent of the time, developers never update third-party libraries once they’ve been built into a codebase. The worst part is that 92 percent of flaws in third-party libraries can be fixed with an update. Once we start enforcing the Executive Order, the number of vulnerabilities in software provided to the US government should drop significantly.

“Software security is no longer a ‘nice to have;’ it’s a federal requirement ”

Chris explained that “As a result of the Executive Order, software security is no longer a ‘nice to have;’ it’s a federal requirement. Much in the same way seatbelts became federally mandated in cars, all organizations will eventually implement these practices and adhere to the standards for improved software safety and security for all citizens. ”

In other words, all software vendors should be paying attention to the Executive Order, not just those who provide software to the US federal government, because the EO will eventually trickle down to the private sector.

Whether you supply software to the US government or not, you should start taking a serious look at your application security program. Make sure you have testing tools in place for the entire software development lifecycle – ideally automated and integrated into your developer’s existing tools and processes. Stay on top of your open-source risk with a software composition analysis tool and SBOMs. Lastly, if you’re not already doing so, train your developers in secure coding.

Software security requirements are here to stay. Find an AppSec vendor committed to helping you comply with the requirements and stay up to date on the Executive Order.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!