What To Know: A Summary of the Compliance Guide to SSDF
NIST has recently researched, defined, and released an entirely new standard for incorporating security into the software development lifecycle called The Secure Software Development Framework. It was uniquely designed to help address the tremendous gaps in software supply chain security that expose organizations to methodical attacks on an organization's code, infrastructure, development toolchain, and dependencies. For example, you may have heard of the Codecov breach, an attack that put the spotlight on supply chain attacks.
New Security Standards: The Secure Software Development Framework
Adopting the framework helps minimize the likelihood of compromise by strengthening the software supply chain. It reduces the number of vulnerabilities released in software, enables the use of dependencies safely, adapts to open-source health changes, and addresses root causes of vulnerabilities. Cleverly, it is flexibly designed to help development teams adopt security no matter their organization size, resources, or structure.
It’s the most thorough guidance that applies to anyone looking to strategize on how they can modernize security and development to avoid leaving easy entry points for hackers to manipulate. How is this possible? It doesn’t predicate security as being a single tactic. Instead, it can be approached with whatever combination of different tools, open-source components, and strategies fit best with an organization’s resources, then quantifies success by achieving secure outcomes of these four pillars:
- Preparing the Organization: Securing code by ensuring that people, processes, and technology are prepared to perform secure software development. Preparing the organization requires a thorough understanding of the business objectives and risk management strategy as well as deep control and visibility of the SDLC. Once this alignment has been achieved, management can focus on strategically adopting new processes that enhance security throughout the SDLC and can define what new roles and responsibilities should be established to support them.
- Protect the Software: Protect all components of software from tampering or accessed by unauthorized users.
- Produce Well-Secured Software: Produce well-secured software with minimal security vulnerabilities in its releases.
- Respond to Vulnerabilities: Identify existing vulnerabilities in software and remediate to prevent similar ones from occurring.
While there have been many attempts to recommend security best practices that address gaps in the software supply chain, this guidance is the most comprehensive. Covering these four objectives requires a hard look at current people, processes, and technology and is no small undertaking. Your organization's unique software development process maturity will dictate the strategy needed according to the framework for achieving these outcomes. If done well, the end result is a resilient software supply chain that can prevent sophisticated attacks and mitigate risk if they do occur.
United States Government Adopts New Security Standards
The United States Government is highly aware of how vulnerable its government agencies are to attacks on cybersecurity infrastructure. In May 2021, the United States Government issued an executive order focused on improving the nation’s cybersecurity through prevention, detection, assessment, and remediation of cyber incidents. While the order spans much more than just software development in order to achieve better confidence in the government’s cybersecurity infrastructure, the software supply chain is essentially the biggest focus area.
The creation of section 4 identifies software supply chain security as a key element in the overall national cybersecurity posture and specifically requires all government organizations to re-evaluate software suppliers and their vendors for compliance according to the Secure Software Development Framework. This boils down to a fast change in how organizations are being considered eligible to sell software and products to the government.
There are 42 specific compliance requirements needed to achieve compliance with the NIST framework.
The aggressive timelines set forth by the order make it essential that every business look at how to achieve compliance with the Secure Software Development Framework and understand how to prove it with attestation. Aqua’s powerful CNAPP platform provide organizations with a single united tool that makes achieving the standards set in the Secure Software Development Framework possible in less than 30 days.
Outside of the many benefits that adopting a Secure Software Development Framework strategy provides for an organization like continuity of business and prevention of software supply chain attacks, the United States government has become another catalyst for organizations to quickly re-evaluate how they approach security in their development process. Furthermore, with NIST being the recognized leading global authority on cybersecurity guidance, we can also anticipate other governments mirroring similar standards as this becomes the new normal in software development.