One year since Biden’s EO on cybersecurity: the public sector is making progress

Meaghan McBee – Thu, 12 May 2022 –

It’s the first anniversary of the Biden Administration’s EO on cybersecurity and progress has been made, but there’s still work to do in securing the public sector.

Your Information will be kept private.

The Biden Administration’s executive order on cybersecurity of May 12th, 2021, was ambitious but clear: if agencies want to protect themselves against crippling breaches like SolarWinds and Colonial Pipeline while improving their own incident response, there are steps they need to follow for securing critical infrastructure and supply chains.

One year later, it’s clear that progress has been made, but there is still work to be done. Data from the most recent Invicti AppSec Indicator revealed that 32% of government agencies were vulnerable to SQL injection (SQLi) attacks in 2021. It’s a flaw that can lead to sensitive information exposure and pave the way for even more serious attacks, so its alarming frequency signals we’re still not out of the woods in terms of preventing severe vulnerabilities, which includes keeping vital software supply chains secure.

The importance of clarity in the software supply chain

Transparency in the software supply chain is critical, and it can make or break incident response for agencies of all sizes. With a Software Bill of Materials (SBOM), organizations can quickly and efficiently determine whether or not a newly discovered vulnerability presents a potential risk to an application in their asset inventory. This transparency is imperative for improving security posture and shrinking the overall attack surface.

In an effort to refocus some of these critical efforts on the software supply chain, the National Institute of Standards and Technology (NIST) recently updated its response to the Executive Order, which includes guidelines for identifying and remediating risk in the software supply chain. Now, the publication outlines best practices for managing cybersecurity risks within the supply chain and offers guidance for checking components that may have been overlooked in previous security processes.

This update comes a few months after the Office of Management and Budget (OMB) released a memo encouraging federal agencies to adopt a zero trust architecture. As more federal agencies partner with cybersecurity vendors to improve processes and integrate more modern tooling, they are able to maximize security coverage while also implementing zero trust principles. Because zero trust “… assumes that a breach is inevitable or has likely already occurred,” it helps in narrowing access to only what is needed and can raise flags about suspicious activity, helping agencies cover more of their attack surface.

Looking ahead: building on a foundation of AppSec transparency

Zero trust and SBOMs are both strategies that can help agencies take their AppSec programs to the next level and give their security posture a boost, especially when it comes to transparency in the software supply chain and taking a more proactive approach to getting complete coverage. As bad actors continue to exploit direct-impact vulnerabilities, especially targeting government sectors, that level of transparency is more critical than ever.

With these directives in place, agencies have a foundation for shifting away from legacy solutions and prioritizing more modern approaches to cybersecurity that can help keep the supply chain secure. By following NIST’s guidelines and embedding comprehensive security monitoring into their development processes with a focus on protecting sensitive data in real time, agencies can continuously diagnose and mitigate web application vulnerabilities much more effectively.

To gain deeper insight into NIST’s pilot programs, read about their cybersecurity efforts and recommendations outlined here for improving supply chain security.

.

Source

Meaghan McBee – Thu, 12 May 2022 –

It’s the first anniversary of the Biden Administration’s EO on cybersecurity and progress has been made, but there’s still work to do in securing the public sector.

Your Information will be kept private.

The Biden Administration’s executive order on cybersecurity of May 12th, 2021, was ambitious but clear: if agencies want to protect themselves against crippling breaches like SolarWinds and Colonial Pipeline while improving their own incident response, there are steps they need to follow for securing critical infrastructure and supply chains.

One year later, it’s clear that progress has been made, but there is still work to be done. Data from the most recent Invicti AppSec Indicator revealed that 32% of government agencies were vulnerable to SQL injection (SQLi) attacks in 2021. It’s a flaw that can lead to sensitive information exposure and pave the way for even more serious attacks, so its alarming frequency signals we’re still not out of the woods in terms of preventing severe vulnerabilities, which includes keeping vital software supply chains secure.

The importance of clarity in the software supply chain

Transparency in the software supply chain is critical, and it can make or break incident response for agencies of all sizes. With a Software Bill of Materials (SBOM), organizations can quickly and efficiently determine whether or not a newly discovered vulnerability presents a potential risk to an application in their asset inventory. This transparency is imperative for improving security posture and shrinking the overall attack surface.

In an effort to refocus some of these critical efforts on the software supply chain, the National Institute of Standards and Technology (NIST) recently updated its response to the Executive Order, which includes guidelines for identifying and remediating risk in the software supply chain. Now, the publication outlines best practices for managing cybersecurity risks within the supply chain and offers guidance for checking components that may have been overlooked in previous security processes.

This update comes a few months after the Office of Management and Budget (OMB) released a memo encouraging federal agencies to adopt a zero trust architecture. As more federal agencies partner with cybersecurity vendors to improve processes and integrate more modern tooling, they are able to maximize security coverage while also implementing zero trust principles. Because zero trust “… assumes that a breach is inevitable or has likely already occurred,” it helps in narrowing access to only what is needed and can raise flags about suspicious activity, helping agencies cover more of their attack surface.

Looking ahead: building on a foundation of AppSec transparency

Zero trust and SBOMs are both strategies that can help agencies take their AppSec programs to the next level and give their security posture a boost, especially when it comes to transparency in the software supply chain and taking a more proactive approach to getting complete coverage. As bad actors continue to exploit direct-impact vulnerabilities, especially targeting government sectors, that level of transparency is more critical than ever.

With these directives in place, agencies have a foundation for shifting away from legacy solutions and prioritizing more modern approaches to cybersecurity that can help keep the supply chain secure. By following NIST’s guidelines and embedding comprehensive security monitoring into their development processes with a focus on protecting sensitive data in real time, agencies can continuously diagnose and mitigate web application vulnerabilities much more effectively.

To gain deeper insight into NIST’s pilot programs, read about their cybersecurity efforts and recommendations outlined here for improving supply chain security.

.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!