It’s official: regulations by the US and UK governments are coming down the track to secure the software supply chain.
Earlier this month, President Biden signed an Executive Order (EO) to increase cybersecurity defences across the U.S, with an emphasis on enhancing the security of the software supply chain. Now, the UK government is following suit, having announced their own call for advice on defending against software supply-chain attacks. The supply chain attacks at SolarWinds and CodeCov have shaken governments. The EO targets the software industry when it says, “Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit.” The US wants to know what is in the software they rely on and how securely it is built.
How could this affect your DevOps and Software Engineering teams?
Within 60 days of the EO, the US government will publish the following:
- Minimum elements for a Software Bill of Materials (SBOM).
- Guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).
The SBOM is a critical element of the EO, essentially a record of all of the components and dependencies used in building software. Most software contains libraries and packages sourced from the open-source community or commercial software. The end-user can use the SBOM to perform vulnerability or license analysis, both of which can evaluate risk in a product.
The EO specifically calls out actions to prove the security and provenance of open-source software (OSS). There is a fear that the OSS supply chain is a potential avenue of attack for hackers. Most modern software relies on many OSS packages, which will only increase moving forward as software becomes more and more complex. The EO indicates that OSS packages used in software will need to be checked for:
- 3rd party dependencies.
- Known security or reliability issues.
The EO may force Software developers and DevOps Engineers to change their practices and update their CI/CD pipelines to increase the visibility of the software composition, increase automation and attest to their security practices.
The EO's 10 steps to securing your software supply chain
- Secure software development environments using administratively separate build environments, controlling access, 2-factor authentication and by monitoring operations on the build environments.
- Provide proof that your software was developed in a secure software development environment when requested by a purchaser.
- Use automation to maintain trusted source code supply chains, thereby ensuring the integrity of the code.
- Automation tools checking for known and potential vulnerabilities and fixes shall operate regularly.
- The Purchaser may request proof of Automation and a summary report of risks and mitigations.
- Maintain accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and regularly perform audits and enforcement of these controls.
- Provide a purchaser with a SBOM.
- Participate in a vulnerability disclosure program that includes a reporting and disclosure process.
- Attest to conformity with secure software development practices.
- Attest to the integrity and provenance of OSS used within any portion of a product.
Secure your supply chain with Cloudsmith
Cloudsmith is uniquely positioned to help Engineers secure their supply chain and meet the new requirements the US and UK government will be introducing. Cloudsmith provides an entirely managed cloud-native ‘single source of truth’ for all software and its dependencies, isolating and protecting you and your customers from supply chain attacks. Using continuous packaging (CP), we offer the observability and control to ensure that your software is always verified, packaged and ready to deliver.
Build and ship your software with Cloudsmith to secure your supply chain and comply with future regulations.