Software program provide chain safety continues to be a vital matter to the cybersecurity and software program trade, and for good motive — from continued assaults in opposition to massive software program distributors to attackers’ malicious concentrate on the open-source software program ecosystem by attackers it’s entrance and heart for many CISOs and safety practitioners. Fortunately, organizations proceed to supply stable steerage to assist practitioners mitigate software program provide chain dangers. The most recent publication, “Securing the Software program Provide Chain: Advisable Practices for Managing Open-Supply Software program and Software program Payments of Materials,” comes from the US Nationwide Safety Company (NSA).
It additionally builds on earlier publications such because the White Home Cybersecurity Government Order (EO) and memos and forthcoming necessities for Federal businesses, such because the Workplace of Administration and Funds’s (OMB) memos 22-18 and 23-16, which require software program suppliers promoting to the US federal authorities to self-attest to aligning with publications such because the Nationwide Institute of Requirements and Expertise’s (NIST) Safe Software program Growth Framework (SSDF) and even offering SBOMs in some circumstances.
Whereas the NSA steerage factors to earlier publications from the White Home, NIST, and OMB, this publication is related to all organizations producing and consuming software program, leveraging OSS, and trying to embrace artifacts reminiscent of SBOMs. Listed below are among the key areas of the steerage, together with suggestions and takeaways from the doc.
Construction of the NSA steerage on SBOMs
The NSA steerage focuses on 4 key areas, as outlined within the desk under, and aligned with their respective SSDF Actions. (Space 1 is omitted as it’s merely an introduction):
US Nationwide Safety Company
Open-source software program administration
This part of the NSA steerage defines key roles and duties for builders and suppliers, amongst others. It notes that builders have duties reminiscent of figuring out potential OSS options to make use of and integrating OSS options into product software program, in addition to monitoring updates to these elements. Suppliers are these producing a services or products and performing actions reminiscent of monitoring for license modifications or vulnerabilities of OSS elements included in merchandise, because of the dangers they might move on to downstream customers.
The NSA lays out major issues for utilizing OSS, reminiscent of evaluating OSS elements for vulnerabilities in sources such because the NVD and different vulnerability databases and making certain that susceptible elements aren’t being included in merchandise. It additionally recommends organizations stay conscious of licensing issues reminiscent of license compliance, in addition to export controls, such because the evolving EU laws which can influence the incorporation of OSS into merchandise.