NSA and CISA issue guidance”Software Supply Chain Security: A Recommended Guide for Developers” last month and while David Wheeler, director of open source supply chain security at the Linux Foundation and OpenSS welcomes it, he said there are some questionable requirements.
The guide covers security aspects such as how to develop secure code, how to test third-party components, and how to harden your build environment, among others. It’s also part of the government’s efforts to strengthen supply chain security, stemming from last year’s executive order aimed at curbing a 650% increase in supply chain attacks, according to State of the Sonatype Software Supply Chain 2021.
The guidelines encourage developers to receive regular, appropriate security training and to periodically evaluate it, at least annually. Security training for the development team is ideally provided by a centralized team of security experts who can help product teams increase their expertise in secure development.
One of the problems Wheeler found is that the report assumes that all software is developed by large software development teams, but that’s not actually the case for all industries.
“They make all these assumptions about the many reviews of the big teams. And that’s assuming there’s some kind of internal computer network,” Wheeler said. “For many organizations, this does not exist. And in fact, it’s moving towards zero trust to move away from trusting the internal network. And so they’re kind of making old-school assumptions or that they’re out of date, you’re going to see that again, and again, they’re making really unreasonable demands on the development environment.”
Wheeler said there also appears to be a lack of understanding of open source security (OSS).
“The term commercial product by definition includes open source software, and yet they talk about commercial as if it’s not the same as open source software,” Wheeler said.
Finally, according to Wheeler, there was not adequate industry engagement or public review of the draft during the development of the guidance.
“Most software expertise is outside the US government, not within it, because that’s where most software is developed today. The document has many other problems that stem in part from inadequate public scrutiny,” Wheeler said.
Wheeler strongly believes that the education system and the software supply chain need to do a better job of teaching developers the basic fundamentals of security-aware software development, and welcomes the fact that the guide has some developer-focused guidance.
“Historically, the US government spends a lot of effort trying to tweak malicious software and somehow magically turn it into safe software. It didn’t work,” Wheeler said. “That being said, I’m very happy that they’re providing guidance for developers.”
Wheeler appreciates that management encourages developers to use design principles from Saltzer & Schroeder’s list that has stood the test of time. The Saltzer & Schroeder List is a set of eight principles for designing secure computer systems. The principles are named after their creators, Jerome H. Salzer and Michael D. Schroeder, who published them in 1974.
He added that developers should at least know what the most common types of vulnerabilities are, including the CWE Top 25 and OWASP Top 10, as well as the main types of security tools and how to apply them. Developers need to know that they need to do “negative testing” and understand the importance of automated testing with high coverage.
They also need to know how to evaluate OSS, how to use tools like package managers to automate management. Finally, they should focus on securing their environment and start using MFA tokens, which stop many attacks.