With major software supply chain attacks such as SolarWinds and the discovery of critical vulnerabilities like Log4j, the world has started to care a great deal about the security of software. These incidents, along with a string of others that span the past few decades, demonstrate that the problem of software supply chain attacks will not be going away anytime soon.
In fact, the problem has only gotten worse in the past two years. Specifically, software supply chain attacks via open-source repositories have taken a big hit, with attacks on npm and PyPI, two popular repositories, skyrocketing by 289% in the past four years.
Even more concerning, it has become clear that a significant number of organizations that produce software are not taking enough steps to secure the applications they are creating. According to a ReversingLabs commissioned survey on secure software practices, only 51% of software practitioners reported that their companies can protect their software from third-party risk when using open source, commercial solutions, and partner software. This signifies that there is a great deal of growth needed in the software industry when it comes to securing software.
Thanks to SolarWinds, Log4j, and other concerning software security incidents, the U.S. federal government has begun to take initiative over the past year and a half to address the growing problem of software supply chain attacks. This became official with the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity, which was followed by several other policy items and mandates that are expected to change the future of the software industry.
[ Download Report: The State of Software Supply Chain Security 2022-23 ]
Here's a timeline of the major documents, policy initiatives, and mandates that software organizations will want to take note of — whether they are selling their software products to the federal government, or not.
The Biden Administration releases an Executive Order (EO) on Improving the Nation’s Cybersecurity (14028). The Order aims to better several areas of cybersecurity, including software supply chain security. Read more
Following EO 14028, according to Section 4 f, the Secretary of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), releases a document that lists the minimum elements required for a software bill of materials (SBOM). Read more
The NTIA introduces the Vulnerability Exploitability eXchange, which was created to “fill a particular need regarding use of software bills of materials (SBOMs),” in response to EO 14028. Read more
Following EO 14028, according to Section 4 c, the National Institute for Standards and Technology (NIST) will release preliminary guidelines, based on consultations and existing documents, for enhancing software supply chain security.
Following EO 14028, NIST releases the first version of the Secure Software Development Framework (SSDF) to the public. Read more
Following EO 14028, according to Section 4 u, the Secretary of Commerce and NIST, in coordination with the Federal Trade Commission (FTC) and invited representatives from other agencies, are to identify secure software development practices or criteria for a consumer software labeling program. Read more
The federal government’s Enduring Security Framework (ESF) working panel releases the “Securing the Software Supply Chain” report, meant to be a practical guide for developers. Read more
Following EO 14028, the OMB issues a memorandum (M-22-18) that mandates all federal agencies to attain attestation of software security from any software company doing business with the federal government, as described in NIST’s SSDF guidance. Software developed and software modified by major version changes after this memorandum will need to follow these requirements. These requirements are not applicable to agency-developed software. Read more
U.S. Senators Peter and Portman introduce Bill S. 4913 to the U.S. Senate, which aims to establish the duties of the Director of CISA in relation to open source software security. Read more
The federal government’s ESF working panel releases the second series of the “Securing the Software Supply Chain” report, meant to be a practical guide for suppliers. Read more
As required by M-22-18, according to Section 3 a, by this date, agencies will take inventory of all software subject to the requirements of M-22-18. A separate inventory will be created for “critical software.”
As required by M-22-18, according to Section 3 a, by this date, agencies will develop a consistent process to communicate relevant requirements in this memorandum to software vendors, and ensure attestation letters not posted publicly by software providers are collected in one central agency system.
As required by M-22-18, according to Section 3 a, by this date, agencies will collect attestation letters not posted publicly by software providers for “critical software.”
As required by M-22-18, according to Section 3 a, by this date, agencies will collect attestation letters not posted publicly by software providers for all software.
Learn about ReversingLabs Software Supply Chain Security, see the three-minute demo — and start a free trial. Who is ReversingLabs? Matt Rose explains.
- Learn how to better manage and secure your development secrets
- See special report: The Evolution of App Sec + Get Forrester SCA landscape
- See Webinar: Deconstructing the 3CX Software Supply Chain Attack
- Track key trends, what's ahead: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key