The new Executive Order on cybersecurity is designed to improve the nation’s cyber defenses and help federal government agencies and military organizations defend government data and networks from increasingly sophisticated and persistent cyberattacks. And this Executive Order couldn’t come at a better time.
While the Executive Order wasn’t a direct result of this incident, it was released just days after the ransomware attack against the Colonial Pipeline Company. That attack against a vital part of America’s critical energy supply chain could have been one of the most impactful cyberattacks that our nation has experienced in the past decade.
While the attack didn’t expose the personally identifiable information (PII) of a massive amount of Americans like the Experian data breach that impacted 24 million customers, it had ramifications that reverberated across the entire east coast. With the Colonial Pipeline Company shut down as a result of the ransomware attack, Americans foolishly began hoarding gas, creating a gas shortage in multiple east coast states that lasted a number of days.
That attack – coupled with the SolarWinds attack in 2020 that may have resulted in upwards of ten government agencies being breached – illustrate just how imperative it is to protect critical infrastructure and government agencies from cyberattacks today. And the Executive Order could make great strides in helping government organizations better prepare and protect themselves from a threat landscape that is getting more bold and better equipped with each successful breach.
Let’s look at some of the provisions in the Executive Order and what they mean for government agencies.
A Mandate to Share Data and Innovate
The Executive Order is quite large and far-reaching – attempting to cover on multiple large issues and challenges that the government is currently facing in network and data security. Each section of the Executive Order lays out desired changes and new initiatives for government agencies to take in an attempt to better control who is on their networks, more quickly identify malicious activity, and more effectively share breach data and information across agencies and with private sector partners.
The Executive Order works to make changes in the government’s contracts and agreements with private sector IT service providers. These changes are intended to increase information sharing and ensure that the government and its industry partners are disclosing breach information early on to ensure that every organization involved is aware of potential threats and can take preventative steps to protect their networks.
In Section Three of the Executive Order, government agencies are encouraged to embrace secure cloud solutions. The CISA and OMB are also tasked with developing secure cloud adoption practices and guidelines and a federal cloud security strategy, respectively. But cloud isn’t the only new technology that the Executive Order advocates for within the government. It also encourages agencies to begin embracing a Zero Trust approach to network security and multi-factor authentication for identity management.
However, what I find most exciting among the provisions of the Executive Order is the entire section dedicated to securing the application and software supply chain.
Securing the Software Supply Chain
Vulnerabilities in the application layer remain some of the most exploited in cyberattacks across all sectors and industries. This means taking steps to advance the secure development of applications within the government – and by those that make applications for the government – can go a long way towards protecting agencies and their data from malicious actors.
Dedicating an entire section of the Executive Order to securing the software supply chain is something that I applaud, since insecure, vulnerable software is such a risk for our government – especially at a time of digital transformation, when software is starting to play an on outsized role in agency operations.
However, the Executive Order, itself, doesn’t directly mandate any government organizations to take any actions to secure their software development lifecycle or software supply chain. Rather, it directs the Secretary of Commerce and the Director of NIST to, “solicit input from the federal government, private sector, academia, and other appropriate actors to…issue guidance identifying practices that enhance the security of the software supply chain.”
The Executive Order instructs the Secretary of Commerce and the Director of NIST to include criteria in that guidance regarding:
• Employing automated tools, or comparable processes, to maintain trusted source code supply chains
• Employing automated tools, or comparable processes, that check for vulnerabilities and remediate them
• Maintaining accurate and up-to-date data, provenance of software code or components, and controls on internal and third-party software components
• Providing purchasers a Software Bill of Materials (SBOM) for each product
The guidance from the Secretary of Commerce and the Director of NIST is due approximately 270 days from the release of the Executive Order, And based on the criteria that the Executive Order encourages them include in that guidance, it’s reasonable to believe that it will include recommendations for agencies to embrace static application security testing, software composition analysis, and interactive application security testing.
This is an intelligent recommendation, because implementing those three application security testing tools can go a long way towards identifying and remediating vulnerabilities early in the development process. Together, these three technologies have the ability to scan code for vulnerabilities while its being written. They can scan open source code for known vulnerabilities. And they can even test running applications for vulnerabilities.
However, should the Secretary of Commerce and the Director of NIST decide to include the adoption of static application security testing, software composition analysis, and interactive application security testing in their eventual guidance, there are some considerations that they should also provide to help agencies choose the most effective solutions.
Here are five considerations that agencies should be directed to keep in mind when choosing application security testing solutions:
1) Scan source code early in the process – any solutions or tools that the guidance recommends to government agencies should be capable of automating the testing of source code and do it early in the development process. This ensures that vulnerabilities are identified and remediated earlier – when they’re easier and less costly to fix.
2) Repository-centric scanning – Application security testing solutions should be able to scan code in source code repositories for known vulnerabilities when pull requests are made. This expedites the software development lifecycle while enabling the secure use of open source code.
3) Automating SBOM creation – One of the criteria in the Executive Order involved the creation of a Software Bill of Materials for software purchasers. This can be a heavy lift for developers – especially ones utilizing open source code – that could result in adding processes and time to the software development lifecycle. Source code analysis solutions should be able to build SBOMs by identifying vulnerabilities in the source code and then compiling all vulnerabilities identified in a log for developers.
4) Require training, not just testing – It’s one thing to test software for vulnerabilities and another to eliminate vulnerabilities altogether. By requiring developer training that integrates with application testing, agencies can keep vulnerabilities from being written into the code in the first place.
5) Security vs. quality – There is an important distinction to be made between software analysis and testing tools that focus on quality, versus those that focus on security. Organizations need to understand which tools specialize in each use case and ensure security testing tools are implemented to secure their software supply chain.
To learn more about why AppSec is so essential in the government today, click HERE for a complimentary copy of the eBook, “5 Reasons to Prioritize Software Security.”
Jeff Ingram is the regional sales manager for the Department of Defense at Checkmarx.