RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
AppSec & Supply Chain SecurityDecember 7, 2022

New supply chain mandates: Uncle Sam wants you (to secure your software)!

Here are the key elements of Executive Order 14028, and software supply chain security guidance from the Enduring Security Framework working group.

paul roberts headshot black and white
Paul Roberts, Director of Content and Editorial at RLPaul Roberts
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
uncle sam

The Biden Administration’s Executive Order 14028 (EO) for Improving the Nation’s Cybersecurity, released in May of 2021, laid out new guidelines for securing software used by federal agencies. Among other things, it set new guidelines for software supply chain security, and empowered the Office of Management and Budget (OMB) to require agencies to comply with those guidelines.

More recently, on September 14, 2022, that guidance took form with the publication of the OMB’s memorandum M-22-18 requiring federal agencies to comply with NIST guidance on software supply chain security, including compliance with NIST Special Publication 800-218 on developing a secure software development framework and subsequent NIST guidance on software supply chain security.

Here's a look at the key elements of the EO and related software supply chain security guidance from the federal government.

Special Report: https://www.reversinglabs.com/the-state-of-software-supply-chain-security

Timeline: The clock is ticking on federal compliance

The memo also set out a timeline for federal agencies to communicate new software security requirements to their vendors, and for software publishers that sell to federal agencies to self-attest to the security of their wares. That deadline is 270 days from the release of the OMB memorandum for vendors who sell “critical” software and services to federal agencies. Vendors selling non-critical software have one year to comply.

SBOMs: Your software package is in the hot seat

The mandate opened the door to federal agencies requiring the creation of Software Bills of Materials (SBOMs) that they can use to identify, track and monitor individual components within larger applications and services. The new White House memo does not require software publishers to use — or federal agencies to require — the creation of an SBOM to validate their attestation. However, the language in the memo makes clear that an SBOM “may be required” by an agency as part of solicitation requirements, especially for software deemed as “critical.”

So-called "known unknowns" should also be included for completeness. The Biden memo echoes that guidance as well, instructing agencies to direct publishers to identify practices to which they cannot attest, along with practices they have in place to mitigate those risks.

SBOMs aside, other forms of attestation may also be required, including output from source code analysis and vulnerability scanning tools, in addition to or in lieu of an SBOM, as needed. Publishers may also need to show that they participate in a vulnerability disclosure program.

Enduring Security Framework: Guidelines for securing software development environments

The NSA, CISA and ODNI released The Enduring Security Framework (ESF), a new set of practice guidelines, in September, 2022. The ESF provides a roadmap for software vendors that do business with the federal government on how to implement a secure software development framework (SSDF) as envisioned by the EO.

The ESF practice guidelines heavily reference other secure development frameworks, including NIST’s Secure Software Development Framework (SSDF), the OWASP Software Component Verification Standard (SCVS) and Supply Chain Levels for Software Artifacts (SLSA). They make clear that federal contractors and agencies need to develop proficiency in areas that they have not prioritized until now.

For example, the guidelines recommend that development organizations use binary scanning and software composition analysis (SCA) tools that can detect unknown files and open source components, and their associated security weaknesses, hiding within compiled binary packages.

Binary scanning can reveal possible threats such as backdoors, out of scope or suspicious functionality that a third-party module may bring with it. Organizations can then use that information when deciding whether to release software to production or if they want to use the module at all.

Likewise, the ESF includes practice guidelines devoted to developing secure code, including recommendations for development organizations to address developer-centric threats. Those include commonplace “ease of development” features like temporary back doors that find their way into production code as well as the risks posed by malicious insiders, rogue developers and compromised development systems.

For example, the guidelines call out the risk posed by integrated development environment (IDE) plugins and scripts — a huge attack surface that goes unchecked in most development organizations.

To address these risks, the ESF recommends that development organizations perform automated static and dynamic testing of newly checked in code to look for vulnerabilities. It also urges them to map newly created code back to clearly identified features, and to implement authentication for code check-ins to guard against compromised development systems.

Critical code — such as that requiring elevated privileges, accessing sensitive resources or using or implementing cryptographic functions — should be subject to mandatory reviews and given a high priority, the guidelines state.

ESF recommendations for securing executable code

Section 2.3.5 pf the Enduring Security Framework provides recommendations development organizations can follow to secure executable code against exploits. These include:

  • Develop a set of comprehensive security requirements that includes compliance regulations.
  • Create threat models for all critical software components and elements of your build pipeline, including source code repositories, build systems, and so on.
  • Develop test plans to assess each requirement providing good “code coverage.”
  • Provide adequate staffing and testing resources to execute test plans
  • Perform security testing of each software component in line with NIST SSDF guidelines, including:
    • Static and dynamic application security testing of all source code
    • Fuzzing of all software components to verify expected behaviors
    • Periodic penetration testing on a regular basis
    • Documentation of the results of all security tests

Image source: Flickr

Keep learning

  • Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
  • Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
  • Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

More Blog Posts

AI coding racing

Can AppSec keep pace with AI coding?

AI lets software teams generate code at a rate faster than security can validate it. One way to win the race: more AI.

Learn More about Can AppSec keep pace with AI coding?
Can AppSec keep pace with AI coding?
Finger on map

LLMmap puts its finger on ML attacks

Researchers show how LLM fingerprinting can be used to automate generation of customized attacks.

Learn More about LLMmap puts its finger on ML attacks
LLMmap puts its finger on ML attacks
Vibeware bad vibes

Vibeware: More than bad vibes for AppSec

Threat actors are leveraging the freewheeling vibe-coding trend to deliver malicious software at scale.

Learn More about Vibeware: More than bad vibes for AppSec
Vibeware: More than bad vibes for AppSec
CRA accelerates advantage

The CRA is coming: Are you ready?

Here's how the EU's Cyber Resilience Act will reshape the software industry — and how that accelerates advantages.

Learn More about The CRA is coming: Are you ready?
The CRA is coming: Are you ready?

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top